|
Posted by ESM on March 12, 2005, 1:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
All of my PIX's allow all outbound traffic as this is the out of box
configuration. I do a basic setup as follows when I need to allow inbound:
access-list outside_access_in permit tcp any interface outside eq XXXX
...again..
...again..
...etc..
access-group outside_access_in in interface outside
(NOTE: I don't always permit from any host or permit to the interface, I may
do host to host, etc)
Anyway. This lets me allow ports I need, (80, 443, 3899, whatever). But it
allows everything outbound. I want to know the proper way to accomplish 2
goals:
1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the
outbound ports to allow
2) Keeping my allowed inbounc access, Specify the outbound ports to block,
Allow all other outbound ports
|
  | |
Posted by Walter Roberson on March 12, 2005, 6:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
:All of my PIX's allow all outbound traffic as this is the out of box
:configuration.
:I want to know the proper way to accomplish 2
:goals:
:1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the
:outbound ports to allow
:2) Keeping my allowed inbounc access, Specify the outbound ports to block,
:Allow all other outbound ports
Create an access-list and access-group ACLNAME in interface inside For
effect #2, end it with 'permit ACLNAME ip any any'; for effect #1,
don't.
Note: you cannot deny all outbound access and then specify ports to
allow out: ACLs are processed from top to bottom and the first match is
the overall result. Just rely on the fact that everything you do not
permit will be blocked if you have any ACL on the interface. The
"allow everything outbound" default only applies if there is no ACL.
--
Feep if you love VT-52's.
|
| Similar Threads | Posted | | icmp type 11 cause pix to deny traffic | July 27, 2005, 12:16 pm |
| Deny all foreign IP traffic using Cisco PIX 501 | May 24, 2008, 11:12 pm |
| Control Outbound traffic | November 15, 2004, 10:54 am |
| Basic ACL Question - Outbound Traffic | April 30, 2006, 2:18 am |
| Redirect Outbound SMTP Traffic to Specific Server - 837 and 2621 | July 21, 2004, 5:15 pm |
| 501 PIX "deny any any" "allow any any" Any Anybody? | November 16, 2006, 3:40 pm |
| PIX ACL deny behaviour | January 20, 2005, 11:10 pm |
| Why does my 506 keeps deny vpn-connections. | March 27, 2006, 2:55 pm |
| PIX 501 - allow icmp out but deny everything else out | November 18, 2006, 1:49 am |
| Deny SDM Access from WAN | January 7, 2007, 10:37 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map