Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX - Deny outbound traffic

Reply
Thread Tools

PIX - Deny outbound traffic

 
 
ESM
Guest
Posts: n/a
 
      03-12-2005
All of my PIX's allow all outbound traffic as this is the out of box
configuration. I do a basic setup as follows when I need to allow inbound:

access-list outside_access_in permit tcp any interface outside eq XXXX
...again..
...again..
...etc..
access-group outside_access_in in interface outside

(NOTE: I don't always permit from any host or permit to the interface, I may
do host to host, etc)

Anyway. This lets me allow ports I need, (80, 443, 3899, whatever). But it
allows everything outbound. I want to know the proper way to accomplish 2
goals:

1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the
outbound ports to allow
2) Keeping my allowed inbounc access, Specify the outbound ports to block,
Allow all other outbound ports



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      03-12-2005
In article <xbCYd.112514$(E-Mail Removed)> ,
ESM <(E-Mail Removed)> wrote:
:All of my PIX's allow all outbound traffic as this is the out of box
:configuration.

:I want to know the proper way to accomplish 2
:goals:

:1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the
utbound ports to allow
:2) Keeping my allowed inbounc access, Specify the outbound ports to block,
:Allow all other outbound ports

Create an access-list and access-group ACLNAME in interface inside For
effect #2, end it with 'permit ACLNAME ip any any'; for effect #1,
don't.

Note: you cannot deny all outbound access and then specify ports to
allow out: ACLs are processed from top to bottom and the first match is
the overall result. Just rely on the fact that everything you do not
permit will be blocked if you have any ACL on the interface. The
"allow everything outbound" default only applies if there is no ACL.
--
Feep if you love VT-52's.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Deny all foreign IP traffic using Cisco PIX 501 igotlotsofspace@gmail.com Cisco 5 05-25-2008 05:39 AM
newbie: allow deny vs deny allow Jeff ASP .Net 2 09-19-2006 02:12 AM
icmp type 11 cause pix to deny traffic Drx Cisco 6 08-03-2005 07:54 PM
"Deny IP spoof from 0.0.0.x" - Causing PIX to "ignore" legitimate traffic !!! HisNameWasRobertPaulson Cisco 7 04-30-2004 01:20 AM
permit only outbound icmp requests and inbound replies, deny other Mark Matheney Cisco 1 12-10-2003 02:00 PM



Advertisments