×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to block IP address from outbound Internet connections.

Unanswered Question
Apr 22nd, 2002
User Badges:

Greetings,


This sounds simple, but I don't see how to do it.


How can I block an IP address from going outbound to the Internet? Should I use and access-list, conduit, etc.? Excuse my ignorance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gradosavljevic Tue, 04/23/2002 - 19:37
User Badges:

The idea is to use an accesslist to block outgoing trafiic and to bind this accesslist to the inside interface. In the following example I allow users to use their browsers i.e. port 80 but also to browse websites usign SSL (port 443). All other trafic (e.g. telnet, FTP) is blocked.


access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq 443

access-list user_punishment deny ip any any


access-group user_punishment in interface inside


The 3rd item in the accesslist is not needed but it help understanding the proccess.


Best regards

Goran

iholdings Wed, 04/24/2002 - 04:12
User Badges:

Thanks for the help. I didn't create the access-group to bind the list to an interface.


One more question ... in your example, when I create the access-group does that only bind acl user_punishment to the inside interface or does it bind all acls to that interface?

ddemers Thu, 05/09/2002 - 07:54
User Badges:

Wouldn't that just prevent ICMP echo-replys from that PIX interface?


try access-l acl_in deny ip host a.b.c.d any

access-l acl_in permit ip any any

access-g acl_in in interface inside

gradosavljevic Tue, 05/14/2002 - 22:56
User Badges:

I trust it only binds that particular ACL to the interface.

- Goran

Actions

This Discussion