ASA 5505 - how to stop it from allowing all outbound traffic?

Unanswered Question
Jun 2nd, 2008

Hey everybody,

I got an ASA 5505 for a client, and defined outgoing rules ahead of time so that only http/https and smtp/pop3 access were allowed out to certain servers. The install went smooth (I just followed the wizard), but RIGHT as I was leaving I noticed that ALL outbound traffic was allowed!

I literally had to leave RIGHT THEN, but the last thing I noticed was an implicit rule in my list saying that all traffic to a less secure network was allowed. I could not edit or delete this rule, so I left the client quite frustrated. I do not see this "allow all outbound traffic" rule anywhere in my exported config.

Can someone help me narrow down why outbound traffic is wide open (and how to stop it)? I can post my config later this afternoon if it would help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 06/02/2008 - 07:08


You can restrict traffic going out by creating an access-list and applying it to the inside interface. So of you just wanted to allow out http traffic

access-list inside_out permit tcp any eq http

access-list inside_out deny ip any any

where is the LAN.

access-group inside_out in interface inside


RouterPouter Mon, 06/02/2008 - 07:18


Thanks for your quick reply. I do understand how to apply those commands you gave me, however, I'd like to do this in the GUI as I'm admittedly a firewall newbie, and its also helpful for me to "see" these rules since I share admin responsibility with another tech.

I'm wondering, though...if I try those commands you stated, will the GUI update itself to reflect those changes? Perhaps if I take a screenshot of my rules page now, then enter your commands and take another screenshot for comparison, perhaps THAT will reveal why outbound traffic was wide open?

I guess I'm also looking to find out if this "wide open outbound" functionality is as designed or a goof on my part.



Jon Marshall Mon, 06/02/2008 - 07:24


To be honest i'm not that familiar with the GUI. I know in version 6.x of the Pix that using the CLI and the GUI (PDM) to configure the same firewall could lead to problems but i'm not sure with ADSM.

The "wide open outbound" is as designed an not a goof on your part. It could be argued that this is not the best default to take with a firewall but that is how it is.


srue Mon, 06/02/2008 - 07:42

ASDM will update automatically just fine - each time it loads it pulls the config from the text file anyway.

RouterPouter Mon, 06/02/2008 - 08:23

Jon/Srue, guys answered my biggest questions. I bet I can nail it down from here. Will post back later if things go awry.


RouterPouter Mon, 06/02/2008 - 13:05

Hey gents,

One more question. I did find a screenshot of the security rules for the firewall before I noticed that ALL outbound traffic (SSH/FTP/ICMP pings) were still allowed. Maybe I'm not understanding outside/inside rules entirely and have the rules in the wrong place?


janchristianbrataas Tue, 06/03/2008 - 05:02

I think its because you have two ACL that apply to the Inside interface, the one permit any any to lower security interface, like the outside so every thing is allow.

In my config I have put all may incomming rules on the Outside interface, like smtp, http,pop3 etc. And on my inside interface a have, one typical a DMZ I have not allow any traffic out, just http and https and typical sql traffic from a DMZ to a inside network. But from another interface i allow all types of traffic out to the Internet (Big I).

PS: your acl about ICMP, if you run inspect icmp you dont need that ACL, then all ICMP reply into you network that is generated from you network is allowed.


This Discussion