Filter
Top Products
Copyright © 2001 Cisco Systems, Inc. Page 10 of 11
IP/VC 3510 MCU with the IP address of 209.165.201.30, port 2720 will need to be
opened.
Use the following guidelines for specifying a source, local, or destination address:
-Use a 32-bit quantity in four-part, dotted-decimal format.
-Use the keyword any as an abbreviation for an address and mask of 0.0.0.0
0.0.0.0. This keyword is normally not recommended for use with IPSec.
-Use host address as an abbreviation for a mask of 255.255.255.255.
Use the following guidelines for specifying a network mask:
-Do not specify a mask if the address is for a host; if the destination address is for
a host, use the host parameter before the address; for example:
access-list acl_out permit tcp any host 192.168.1.1
-If the address is a network address, specify the mask as a 32-bit quantity in four-
part, dotted-decimal format. Place zeros in the bit positions you want to ignore.
-Remember that you specify a network mask differently than with the Cisco IOS
software access-list command. With PIX Firewall, use 255.0.0.0 for a Class A
address, 255.255.0.0 for a Class B address, and 255.255.255.0 for a Class C
address. If you are using a subnetted network address, use the appropriate network
mask; for example:
access-list acl_out permit tcp any 209.165.201.0 255.255.255.224
Access-group command
In order to make sure that the access list is applied to a specific interface, the access-
group command needs to be entered. The command syntax for this command is as
follows:
access-group acl_ID in interface interface_name
In the configuration from Table XX, the access-group is applied to the outside interface
in this manner:
access-group acl_out in interface outside
The access-group command binds an access list to an interface. The access list is
applied to traffic inbound to an interface. If you enter the permit option in an access-list
command statement, the PIX Firewall continues to process the packet. If you enter the