Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to block IP address from outbound Internet connections.

Unanswered Question
Apr 22nd, 2002
User Badges:


This sounds simple, but I don't see how to do it.

How can I block an IP address from going outbound to the Internet? Should I use and access-list, conduit, etc.? Excuse my ignorance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gradosavljevic Tue, 04/23/2002 - 19:37
User Badges:

The idea is to use an accesslist to block outgoing trafiic and to bind this accesslist to the inside interface. In the following example I allow users to use their browsers i.e. port 80 but also to browse websites usign SSL (port 443). All other trafic (e.g. telnet, FTP) is blocked.

access-list user_punishment permit tcp any eq www

access-list user_punishment permit tcp any eq 443

access-list user_punishment deny ip any any

access-group user_punishment in interface inside

The 3rd item in the accesslist is not needed but it help understanding the proccess.

Best regards


iholdings Wed, 04/24/2002 - 04:12
User Badges:

Thanks for the help. I didn't create the access-group to bind the list to an interface.

One more question ... in your example, when I create the access-group does that only bind acl user_punishment to the inside interface or does it bind all acls to that interface?

ddemers Thu, 05/09/2002 - 07:54
User Badges:

Wouldn't that just prevent ICMP echo-replys from that PIX interface?

try access-l acl_in deny ip host a.b.c.d any

access-l acl_in permit ip any any

access-g acl_in in interface inside

gradosavljevic Tue, 05/14/2002 - 22:56
User Badges:

I trust it only binds that particular ACL to the interface.

- Goran


This Discussion