Your static and conduit commands make all outside hosts to be able to access TCP port 3001 on host 207.x.x.x. But your access list seems to deny outside hosts to access 207.x.x.x TCP 3001. I'm not sure which command that PIX will execute first, or which command will overtake the other one. But say if you want outside subnet 200.0.0.0/8 to access TCP3001 on your host 207.x.x.x, and block all others, you can use the static and conduit as follows:
static (DMZ-WEB,outside) 207.x.x.x 192.168.x.x netmask 255.255.255.255 0 0 conduit permit tcp host 207.x.x.x eq 3001 200.0.0.0 255.0.0.0 And, erase all access list commands. Fei. -----Original Message----- From: Chuck Scott [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 4:20 PM To: [EMAIL PROTECTED] Subject: Access lists and PIX 5.1 IOS I have a PIX 515 running IOS 5.1. I need to block access to a specific port from the outside world and allow only a specified subnet access. Here is what I have so far: access-list 103 permit ip any any access-list 103 deny tcp any eq 3001 host 207.x.x.x access-group 103 in interface outside I was hoping this would block all access, (for testing purposes), but it did not. I am fairly new to the PIX but have done a lot of router work in the past so I am a bit stumped. There is a conduit statement in the config so I will include that in case that is a problem: conduit permit tcp host 207.x.x.x eq 3001 any And a static statement: static (DMZ-WEB,outside) 207.x.x.x 192.168.x.x netmask 255.255.255.255 0 0 Thanks in advance... Chuck Chuck Scott Windows Lead/WAN Engineer MedData Inc. [EMAIL PROTECTED] Office: (206) 812-5993 Fax: (206) 622-4349 Cel: (360) 440-8282 Help Desk: 800-454-6219 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
