03-20-2007 04:41 PM - edited 03-11-2019 02:49 AM
Hi,
In a PIX 515, os Version 6.3(5), I want to prevent traffic TCP ports 445, 3066, 3067 from going from inside to outside (due to us having gotten blacklisted for outgoing Korgo traffic).
Here's the relevant config:
access-list acl_outbound deny tcp any any eq 3067
access-list acl_outbound deny tcp any any eq ident
access-list acl_outbound deny tcp any any eq 445
access-list acl_outbound permit ip any any
access-group acl_outbound in interface inside
(Pix translated 3066 to ident...)
When I first applied this, I got a few hits on the ACEs for 445 & ident right away. Several months pass, and I find we've gotten blacklisted again, again because of Korgo. I check the ACEs over a couple or three days - no activity the first 2 days, then today 9 more hits on 445, 3 more on ident.
So, the ACL does something... But, is it correct for blocking traffic going from inside to outside?
(Initiatives are underway to get CSA & NAC installed, but for the moment I have to rely on the firewall to keep bad things from getting out...)
03-20-2007 04:47 PM
this config looks good...why dont you clear the counters of access-list and then notice the counters
clear access-l acl_outbound counters
if the activity is on these ports then definitely they are blocked
03-20-2007 05:01 PM
Hi,
The few matches that you see on the ACL shouldn't warrant someone to blacklist your network. In addition to TCP deny UDP for those ports as well and see if that makes a difference.
HTH
Sundar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide