PIX - Deny outbound traffic

Discussion in 'Cisco' started by ESM, Mar 12, 2005.

  1. ESM

    ESM Guest

    All of my PIX's allow all outbound traffic as this is the out of box
    configuration. I do a basic setup as follows when I need to allow inbound:

    access-list outside_access_in permit tcp any interface outside eq XXXX
    ...again..
    ...again..
    ...etc..
    access-group outside_access_in in interface outside

    (NOTE: I don't always permit from any host or permit to the interface, I may
    do host to host, etc)

    Anyway. This lets me allow ports I need, (80, 443, 3899, whatever). But it
    allows everything outbound. I want to know the proper way to accomplish 2
    goals:

    1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the
    outbound ports to allow
    2) Keeping my allowed inbounc access, Specify the outbound ports to block,
    Allow all other outbound ports
     
    ESM, Mar 12, 2005
    #1
    1. Advertising

  2. In article <xbCYd.112514$>,
    ESM <> wrote:
    :All of my PIX's allow all outbound traffic as this is the out of box
    :configuration.

    :I want to know the proper way to accomplish 2
    :goals:

    :1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the
    :eek:utbound ports to allow
    :2) Keeping my allowed inbounc access, Specify the outbound ports to block,
    :Allow all other outbound ports

    Create an access-list and access-group ACLNAME in interface inside For
    effect #2, end it with 'permit ACLNAME ip any any'; for effect #1,
    don't.

    Note: you cannot deny all outbound access and then specify ports to
    allow out: ACLs are processed from top to bottom and the first match is
    the overall result. Just rely on the fact that everything you do not
    permit will be blocked if you have any ACL on the interface. The
    "allow everything outbound" default only applies if there is no ACL.
    --
    Feep if you love VT-52's.
     
    Walter Roberson, Mar 12, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Matheney
    Replies:
    1
    Views:
    924
  2. HisNameWasRobertPaulson
    Replies:
    7
    Views:
    12,929
    Andrey Tarasov
    Apr 30, 2004
  3. Replies:
    1
    Views:
    831
    Walter Roberson
    Apr 21, 2005
  4. Drx
    Replies:
    6
    Views:
    5,594
  5. Replies:
    5
    Views:
    2,712
Loading...

Share This Page