×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Denying outbound traffic

Answered Question
Feb 25th, 2003
User Badges:

Hey all, I am a noobie to the PIX os.


I have read that by default, on PIX 501 all outbound traffic is allowed. I was wondering if that could be reversed. Deny all outbound traffic except for specfic ports from the internal network.


The pix is in a small office area that just needs port 80 and maybe 25. I want to reduce outbound traffic to just the one's I specify. Any luck in doing that without a 100 acl's? I have also read that acl's are performed in order of the config file, so if I deny all outbound traffic, will all remaining acl's be null and void?


Thank you for your time and patience.

Matt

Correct Answer by shannong about 14 years 5 months ago

Using an ACL, all traffic can be denied.

This ACL stops all outbound traffic:

access-list 100 deny ip any any

access-group 100 in interface inside


This ACL allows only outbound traffic for HTTP and SMTP:

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 25

access-group 100 in interface inside


It's true that ACLs are evaluated in order. This ACL is the same as the first in that no traffic would be allowed. This is meant as example and would have no real use in a production environment:

access-list 100 permit ip any any

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 25

access-group 100 in interface inside




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Correct Answer
shannong Tue, 02/25/2003 - 17:26
User Badges:
  • Silver, 250 points or more

Using an ACL, all traffic can be denied.

This ACL stops all outbound traffic:

access-list 100 deny ip any any

access-group 100 in interface inside


This ACL allows only outbound traffic for HTTP and SMTP:

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 25

access-group 100 in interface inside


It's true that ACLs are evaluated in order. This ACL is the same as the first in that no traffic would be allowed. This is meant as example and would have no real use in a production environment:

access-list 100 permit ip any any

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 25

access-group 100 in interface inside




bdube Wed, 02/26/2003 - 03:04
User Badges:

Hi Matt,


Don't forget DNS (53) and perhaps POP3 (110).


Best regards,


Ben


wolfrikk Wed, 02/26/2003 - 04:13
User Badges:

You can do this with access-list also. The ACL's are processed in order (line for line). You can have 100 ACL's in your config file, but you can only have one bound to an interface per direction, so if you have a ACL configured for inbound traffic, it will process that one ACL line for line until it finds a match. If a match is not found, there is an implicit deny at the end of all ACL's, so the packet will be dropped.


I hope that helps.

matthew.bauer Wed, 02/26/2003 - 05:30
User Badges:

Thanks for the responses and keep em coming.


I have a ton of questions reqarding the pix os. I guess most of which are theory sort of questions. Why are things done in certain way sorta thing. For instance. Out of the box the 501 allows outbound traffic. It appears that as soon as I apply the first ACL that is no longer the case. Is that correct?


I don't quite understand the fixup protocol. I have read that they are predefined in the pix to listen on those ports, adding functionality like web filters and mailguard. I will not be using these features at this time. Any reason to keep the fixup protocols enabled?


Again thank you for your time and patience.

Matt

fixup protocols do different things for different protocols - fixup protocol smtp limits inbound smtp connects (provided you opened the port) to basic smtp commands, and hides banners. This breaks ms exchange smtp. Fixup protocol dns allows only one reply per request to come in, and checks to make sure that it is dns traffic, and not just something from port 53 to a high numbered port.


ACLs bound "in" to the inside it will stop "all" outbound traffic, and only allow that which is permitted in the acl to pass. Remember, at the end of all CIsco (ios or pixen) ACLS is an implicit deny all statement that will catch anything that hasn't already been matched by a rule.


So, you really want to read up on the docs, but as a rule, fixup protocol is a good thing, except for us exchange smtp users.


Matt

mmcsweeny Wed, 02/26/2003 - 16:43
User Badges:

Hi, ACLs on a PIX can be applied to inbound traffic i.e. traffic coming into a PIX i/f, so it would be correct to say "you can only have one acl bound to an interface for the inbound direction"


Regards

Actions

This Discussion