acl written & applied correctly?

linnea.wren · ‎03-20-2007

Hi,

In a PIX 515, os Version 6.3(5), I want to prevent traffic TCP ports 445, 3066, 3067 from going from inside to outside (due to us having gotten blacklisted for outgoing Korgo traffic).

Here's the relevant config:

access-list acl_outbound deny tcp any any eq 3067

access-list acl_outbound deny tcp any any eq ident

access-list acl_outbound deny tcp any any eq 445

access-list acl_outbound permit ip any any

access-group acl_outbound in interface inside

(Pix translated 3066 to ident...)

When I first applied this, I got a few hits on the ACEs for 445 & ident right away. Several months pass, and I find we've gotten blacklisted again, again because of Korgo. I check the ACEs over a couple or three days - no activity the first 2 days, then today 9 more hits on 445, 3 more on ident.

So, the ACL does something... But, is it correct for blocking traffic going from inside to outside?

(Initiatives are underway to get CSA & NAC installed, but for the moment I have to rely on the firewall to keep bad things from getting out...)

abinjola · ‎03-20-2007

this config looks good...why dont you clear the counters of access-list and then notice the counters

clear access-l acl_outbound counters

if the activity is on these ports then definitely they are blocked

sundar.palaniappan · ‎03-20-2007

Hi,

The few matches that you see on the ACL shouldn't warrant someone to blacklist your network. In addition to TCP deny UDP for those ports as well and see if that makes a difference.

HTH

Sundar