Cisco Systems EDCS-154011 manual Access-list aclout permit tcp any host

Page 10

IP/VC 3510 MCU with the IP address of 209.165.201.30, port 2720 will need to be opened.

Use the following guidelines for specifying a source, local, or destination address:

-Use a 32-bit quantity in four-part, dotted-decimal format.

-Use the keyword any as an abbreviation for an address and mask of 0.0.0.0

0.0.0.0.This keyword is normally not recommended for use with IPSec. -Use host address as an abbreviation for a mask of 255.255.255.255.

Use the following guidelines for specifying a network mask:

-Do not specify a mask if the address is for a host; if the destination address is for a host, use the host parameter before the address; for example:

access-list acl_out permit tcp any host 192.168.1.1

-If the address is a network address, specify the mask as a 32-bit quantity in four- part, dotted-decimal format. Place zeros in the bit positions you want to ignore.

-Remember that you specify a network mask differently than with the Cisco IOS software access-listcommand. With PIX Firewall, use 255.0.0.0 for a Class A address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C address. If you are using a subnetted network address, use the appropriate network mask; for example:

access-list acl_out permit tcp any 209.165.201.0 255.255.255.224

Access-group command

In order to make sure that the access list is applied to a specific interface, the access- group command needs to be entered. The command syntax for this command is as follows:

access-group acl_ID in interface interface_name

In the configuration from Table XX, the access-group is applied to the outside interface in this manner:

access-group acl_out in interface outside

The access-groupcommand binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-listcommand statement, the PIX Firewall continues to process the packet. If you enter the

Copyright © 2001 Cisco Systems, Inc.

Page 10 of 11

Image 10
Contents An IP/VC Application Note Table of contents Introduction Issues with Firewalls and H.323 What is the Cisco Secure PIX Firewall?What is NAT? Implementing NAT for use with in-bound H.323 trafficTwo Interface PIX with NAT Diagram Configuration Description Breaking down the PIX configuration Fixup protocol Command Static commandAccess-list command Access-group aclID in interface interfacename Access-list aclout permit tcp any hostAccess-group aclout in interface outside Typical Ports used for H.323 traffic Helpful Links