PIX 501 - allow icmp out but deny everything else out

Discussion in 'Cisco' started by nicough@gmail.com, Nov 18, 2006.

  1. Guest

    My current config has NO access-lists or access-groups.
    Client machines have no internet - expected.

    If I add the following lines......
    access-list INBOUND permit icmp any any
    access-list INBOUND deny tcp any any
    access-list INBOUND deny ip any any
    access-group INBOUND in interface outside

    ..... then my client machines suddenly have icmp out (expected), but
    they also have http/dns/smtp (ie ALL) out.

    What access rules can I add, so that clients have icmp out, but nothing
    else?

    Thanks
    Nick
    , Nov 18, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >My current config has NO access-lists or access-groups.
    >Client machines have no internet - expected.


    >If I add the following lines......
    >access-list INBOUND permit icmp any any
    >access-list INBOUND deny tcp any any
    >access-list INBOUND deny ip any any
    >access-group INBOUND in interface outside


    tcp is a subset of ip, so the tcp line is redundant.
    There is a default deny at the end of every access-list, so all
    trailing deny statements are redundant.


    >.... then my client machines suddenly have icmp out (expected), but
    >they also have http/dns/smtp (ie ALL) out.


    >What access rules can I add, so that clients have icmp out, but nothing
    >else?


    >My current config has NO access-lists or access-groups.


    It is relatively tricky to create a restricted VPN without using
    at least two access-list . What are your static, nat, and global
    commands, and what IP pool are you allocating to your clients?
    Walter Roberson, Nov 18, 2006
    #2
    1. Advertising

  3. Rohan Guest

    <> wrote in message
    news:...
    > My current config has NO access-lists or access-groups.
    > Client machines have no internet - expected.
    >
    > If I add the following lines......
    > access-list INBOUND permit icmp any any
    > access-list INBOUND deny tcp any any
    > access-list INBOUND deny ip any any
    > access-group INBOUND in interface outside
    >
    > .... then my client machines suddenly have icmp out (expected), but
    > they also have http/dns/smtp (ie ALL) out.
    >
    > What access rules can I add, so that clients have icmp out, but nothing
    > else?
    >
    > Thanks
    > Nick
    >

    The statement above would allow ICMP return from the inside but also you
    have a DENY statement that would block anything from coming in, especially
    in the order you have stated (remove "access-list INBOUND deny tcp any any"
    as it is redundant). I would say that something significant in your
    config, that you have not posted is causing Internet Access for the client
    machine.

    You would need to post your config up here so we can take a better look.
    Rohan, Nov 18, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Vinny Abello
    Replies:
    14
    Views:
    683
    Aaron Leonard
    Dec 10, 2003
  2. Drx
    Replies:
    6
    Views:
    5,460
  3. Scott Townsend
    Replies:
    2
    Views:
    10,081
    Scott Townsend
    May 4, 2006
  4. Networking Student
    Replies:
    4
    Views:
    1,284
    vreyesii
    Nov 16, 2006
  5. barret bonden

    PIX - I deny everything ! (an inside job)

    barret bonden, Dec 5, 2007, in forum: Cisco
    Replies:
    1
    Views:
    323
    Christoph Gartmann
    Dec 5, 2007
Loading...

Share This Page