PIX 501 - allow icmp out but deny everything else out

Discussion in 'Cisco' started by nicough, Nov 18, 2006.

  1. nicough

    nicough Guest

    My current config has NO access-lists or access-groups.
    Client machines have no internet - expected.

    If I add the following lines......
    access-list INBOUND permit icmp any any
    access-list INBOUND deny tcp any any
    access-list INBOUND deny ip any any
    access-group INBOUND in interface outside

    ..... then my client machines suddenly have icmp out (expected), but
    they also have http/dns/smtp (ie ALL) out.

    What access rules can I add, so that clients have icmp out, but nothing
    else?

    Thanks
    Nick
     
    nicough, Nov 18, 2006
    #1
    1. Advertisements

  2. tcp is a subset of ip, so the tcp line is redundant.
    There is a default deny at the end of every access-list, so all
    trailing deny statements are redundant.

    It is relatively tricky to create a restricted VPN without using
    at least two access-list . What are your static, nat, and global
    commands, and what IP pool are you allocating to your clients?
     
    Walter Roberson, Nov 18, 2006
    #2
    1. Advertisements

  3. nicough

    Rohan Guest

    The statement above would allow ICMP return from the inside but also you
    have a DENY statement that would block anything from coming in, especially
    in the order you have stated (remove "access-list INBOUND deny tcp any any"
    as it is redundant). I would say that something significant in your
    config, that you have not posted is causing Internet Access for the client
    machine.

    You would need to post your config up here so we can take a better look.
     
    Rohan, Nov 18, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.