Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Block everything outbound except WWW and HTTPS

Grettings, I have a PIX 501 and I am trying to block all TCP/UDP ports outbound for all internal hosts. I would only like to allow 80 and 443 outbound.

Can someone give me a hand?

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Block everything outbound except WWW and HTTPS

yes it will block everything else .. there is a predefined deny at the end of each access-list which you don't see from the config .. You can also include a deny at the end if you want for logging purposes but it is not required.

I hope it helps ... ahhh .. please ra te it if it does !!

Re: Block everything outbound except WWW and HTTPS

Hi .. the command is not right ... You left the 'access-list' sentence out of the command.

nat (inside) 1 access-list inside_out

global (outside) 1 interface

i hope it helps

6 REPLIES

Re: Block everything outbound except WWW and HTTPS

sure ..

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

nat (inside) 1 access-list inside_out

global (outside) 1 interface

access-group inside_out in interface inside

PLease rate it if it helps !!!!

New Member

Re: Block everything outbound except WWW and HTTPS

Will this block everything else or do we need to add the deny ip any any at the end?

Thanks for the quick response!

Molinek.

Re: Block everything outbound except WWW and HTTPS

yes it will block everything else .. there is a predefined deny at the end of each access-list which you don't see from the config .. You can also include a deny at the end if you want for logging purposes but it is not required.

I hope it helps ... ahhh .. please ra te it if it does !!

New Member

Re: Block everything outbound except WWW and HTTPS

It won't except the NAT statement that you have here and I have to traffic at all if I enter the:

access-group inside_out in interface inside

I have to enter it with "outside" to get traffic flowing. See below:

PUBLIC-FW-4THFL# config t

PUBLIC-FW-4THFL(config)# clear access-list ACL-OUT

PUBLIC-FW-4THFL(config)# access-list inside_out permit tcp any any eq 80

PUBLIC-FW-4THFL(config)# access-list inside_out permit tcp any any eq 443

PUBLIC-FW-4THFL(config)# access-group inside_out in interface inside

PUBLIC-FW-4THFL(config)# clear nat

PUBLIC-FW-4THFL(config)# sh nat

PUBLIC-FW-4THFL(config)# nat (inside) 1 inside_out

ERROR: invalid IP address

Usage: [no] nat [()] [

[dns] [outside]

[ [emb_limit> []]]]

[no] nat [(if_name)] 0 [access-list [outside]]

PUBLIC-FW-4THFL(config)# nat (inside) 1 access-list inside_out

WARNING: access-list protocol or port will not be used

ERROR: invalid nat ID, <1>, with access-list

Usage: [no] nat [()] [

[dns] [outside]

[ [emb_limit> []]]]

[no] nat [(if_name)] 0 [access-list [outside]]

PUBLIC-FW-4THFL(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PUBLIC-FW-4THFL(config)# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname PUBLIC-FW-4THFL

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_out permit tcp any any eq www

access-list inside_out permit tcp any any eq https

pager lines 24

logging history errors

mtu outside 1500

mtu inside 1500

ip address outside XX.XXX.XXX.XX 255.255.255.240

ip address inside 10.0.1.254 255.255.255.0

ip audit name Protection attack action alarm drop reset

ip audit interface outside Protection

ip audit interface inside Protection

ip audit info action alarm

ip audit attack action alarm

ip audit signature 2004 disable

pdm history enable

arp timeout 14400

Re: Block everything outbound except WWW and HTTPS

Hi .. the command is not right ... You left the 'access-list' sentence out of the command.

nat (inside) 1 access-list inside_out

global (outside) 1 interface

i hope it helps

New Member

Re: Block everything outbound except WWW and HTTPS

The PIX (6.3.1) would not take that "nat (inside) 1 access-list inside_out" command. But, I got it to work like this:

access-list inside_out permit tcp any any eq www

access-list inside_out permit tcp any any eq https

access-list inside_out permit udp any any eq 4500

access-list inside_out permit udp any any eq 53

access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range 1 finger

access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range 81 442

access-list inside_out deny tcp 10.0.1.0 255.255.255.0 any range https 65000

access-list inside_out deny udp 10.0.1.0 255.255.255.0 any range 1 4499

access-list inside_out deny udp 10.0.1.0 255.255.255.0 any range 4501 10000

pager lines 24

logging on

logging buffered errors

logging history errors

mtu outside 1500

mtu inside 1500

ip address outside 12.152.202.98 255.255.255.240

ip address inside 10.0.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Thanks for the help, you pointed me in the right direction.

127
Views
5
Helpful
6
Replies