Question : How to configure PIX Firewall to block all ports

Greetings Experts,

The network diagram is as follows:

Internet <---> Cisco Router 800 Series <---> Cisco PIX 501 <----> Network Switch (connect to the rest of the PCs)

I appreciate if experts out there could help me in the configuration of the PIX Firewall. If able, a step by step configuration for a rookie like me.

Internal network address (Thru DHCP):
192.168.1.1 -> IP address reserve for firewall
255.255.255.0 -> Subnet mask

Requirements:

Firewall: Blocks all incoming/outgoing ports (yes, even from inside to outside) but permit 80(http), 25(smtp) and 110(pop3) only.

Thank you.

Answer : How to configure PIX Firewall to block all ports

These commands define the services that belong to a group called default services

object-group service default-services tcp
 port-object eq domain
 port-object eq www
 port-object eq pop3
 port-object eq smtp
 port-object eq https
object-group service default-udp tcp-udp
 description default UDP services
 port-object eq domain
 
This access list specifies the the traffic defined in the above object group is allowed out.  The last two deny statements explicitly prevent all traffic that does not belong to the object group.

access-list inside_access_in permit udp 192.168.2.0 255.255.255.0 gt 1023 any object-group default-udp
access-list inside_access_in permit udp 192.168.2.0 255.255.255.0 gt 1023 any object-group default-services
access-list inside_access_in deny tcp any any
access-list inside_access_in deny udp any any

This command ties the access list to the inside interface, effecting outbound traffic.

access-group inside_access_in in interface inside


The IP audit commands turn on the limited IDS features of the PIX, but are not very useful unless you are syslogging