How to configure black/white list on pix 501

[turalo]

Hi everyone,
I'm kinde new to cisco firewalls,
I just got a new pix501, I configured it right now I can use it on my network just for internet, but I need help in securing and setting my network.
What I need is that all traffic that comes from outside world to my network is filtered true kind of black white list, lik if some IP comes in and that IP is not in the trusted list than it gets rejected, and if it is in the list than it is sent to one of the machines in my network on given port.

Please can sombody tell me where to start.
Right now pix 501 is connecte to my pc with console and also normal network cable, and pdm is working to.
pix is :

outside port static.
IP : 192.168.1.17
sub: 255.255.255.0
Gateway : 192.168.1.254

inside port is dhcp enabled
IP starts : 192.168.0.2 ends 192.168.0.10
sub : 255.255.255.0
gateway : 192.168.0.1

later on i will use the inside port without dhcp, but thats easy to set.

So for me is most important to learn how to make it possible that some IP wich I want gets connected with the service that I want on given port. and others are blokked.

any help is welkom.

 

[Supergrrover]

There really isn't a white/blacklist where the pix will check a third party, but you can allow IPs explicitly

Here is the basic formula

Build Access List to allow the traffic in (one line for each port and IP combination)-
access-list outside_access_in permit tcp host [IP_TO_ALLOW] host interface outside eq [Port#]

Everything else but what is in this ACL will be rejected. There is an implicit "deny ip any any" at the end.

Apply the ACL to the outside interface -
access-group outside_access_in in interface outside

Map incoming port to an IP and port on the inside (one line for each port)-
static (inside,outside) tcp interface [Port#] [InteralIP_OF_SERVER] [Port#] netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[turalo]

So it means, that by default everything that comes to pix is chekked true the nat forwarding list, so if there is a forwarding for

http://www server

on port 80 for IP 123.123.123.123 than only that IP can come in and will be sent to port 80 to given host inside. and otherwise it will get rejected?

 

[lgarner]

Correct. Any inbound traffic is dropped unless it has somewhere to go.

For replies to outbound requests, like web pages, that permission is automatically set up.

For unsolicited requests you have to a) tell it where to go and b) explicitly allow it to come in.

 

[turalo]

When I type this commands in I get error.

access-list outside_access_in permit tcp host [192.168.1.20] host interface outside eq [5900]

than I gett error : invalid IP adress

 

[Supergrrover]

Take out the "[" They are just there to let you know that you need to replace those pieces (there is also one too many "host" in there.

access-list outside_access_in permit tcp host 192.168.1.20 interface outside eq 5900

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[turalo]

Yeah, I'm starting to understand it lil bit, let me try