05-11-2006 01:41 PM - edited 03-09-2019 02:53 PM
Grettings, I have a PIX 501 and I am trying to block all TCP/UDP ports outbound for all internal hosts. I would only like to allow 80 and 443 outbound.
Can someone give me a hand?
Thanks!
Solved! Go to Solution.
05-11-2006 05:42 PM
yes it will block everything else .. there is a predefined deny at the end of each access-list which you don't see from the config .. You can also include a deny at the end if you want for logging purposes but it is not required.
I hope it helps ... ahhh .. please ra te it if it does !!
05-17-2006 03:56 PM
Hi .. the command is not right ... You left the 'access-list' sentence out of the command.
nat (inside) 1 access-list inside_out
global (outside) 1 interface
i hope it helps
05-11-2006 03:03 PM
sure ..
access-list inside_out permit tcp any any eq 80
access-list inside_out permit tcp any any eq 443
nat (inside) 1 access-list inside_out
global (outside) 1 interface
access-group inside_out in interface inside
PLease rate it if it helps !!!!
05-11-2006 04:03 PM
Will this block everything else or do we need to add the deny ip any any at the end?
Thanks for the quick response!
Molinek.
05-11-2006 05:42 PM
yes it will block everything else .. there is a predefined deny at the end of each access-list which you don't see from the config .. You can also include a deny at the end if you want for logging purposes but it is not required.
I hope it helps ... ahhh .. please ra te it if it does !!
05-15-2006 06:28 AM
It won't except the NAT statement that you have here and I have to traffic at all if I enter the:
access-group inside_out in interface inside
I have to enter it with "outside" to get traffic flowing. See below:
PUBLIC-FW-4THFL# config t
PUBLIC-FW-4THFL(config)# clear access-list ACL-OUT
PUBLIC-FW-4THFL(config)# access-list inside_out permit tcp any any eq 80
PUBLIC-FW-4THFL(config)# access-list inside_out permit tcp any any eq 443
PUBLIC-FW-4THFL(config)# access-group inside_out in interface inside
PUBLIC-FW-4THFL(config)# clear nat
PUBLIC-FW-4THFL(config)# sh nat
PUBLIC-FW-4THFL(config)# nat (inside) 1 inside_out
ERROR: invalid IP address
Usage: [no] nat [(
[dns] [outside]
[
[no] nat [(if_name)] 0 [access-list
PUBLIC-FW-4THFL(config)# nat (inside) 1 access-list inside_out
WARNING: access-list protocol or port will not be used
ERROR: invalid nat ID, <1>, with access-list
Usage: [no] nat [(
[dns] [outside]
[
[no] nat [(if_name)] 0 [access-list
PUBLIC-FW-4THFL(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
PUBLIC-FW-4THFL(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname PUBLIC-FW-4THFL
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
pager lines 24
logging history errors
mtu outside 1500
mtu inside 1500
ip address outside XX.XXX.XXX.XX 255.255.255.240
ip address inside 10.0.1.254 255.255.255.0
ip audit name Protection attack action alarm drop reset
ip audit interface outside Protection
ip audit interface inside Protection
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2004 disable
pdm history enable
arp timeout 14400
05-17-2006 03:56 PM
Hi .. the command is not right ... You left the 'access-list' sentence out of the command.
nat (inside) 1 access-list inside_out
global (outside) 1 interface
i hope it helps
05-18-2006 05:02 AM
The PIX (6.3.1) would not take that "nat (inside) 1 access-list inside_out" command. But, I got it to work like this:
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-list inside_out permit udp any any eq 4500
access-list inside_out permit udp any any eq 53
access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range 1 finger
access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range 81 442
access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range https 65000
access-list inside_out deny udp 10.0.1.0 255.255.255.0 any range 1 4499
access-list inside_out deny udp 10.0.1.0 255.255.255.0 any range 4501 10000
pager lines 24
logging on
logging buffered errors
logging history errors
mtu outside 1500
mtu inside 1500
ip address outside 12.152.202.98 255.255.255.240
ip address inside 10.0.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Thanks for the help, you pointed me in the right direction.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide