Re: blocking web sites using outbound statement.

pokey · ‎11-13-2002

Hi all

i want to block access to a web site ip 65.89.168.6 using a outbound statement.

This is the config so far:

outbound 10 deny 65.89.168.6 255.255.255.255 80 tcp

outbound 10 permit 0.0.0.0 0.0.0.0 0 tcp

apply (outside) 10 outgoing_dest

I've used an outbound statement because it's running an old config full of conduits and other outbound lists. So not that easy to change it to use access-lists. Anyway the above filter is not working. Have i done it correctly?

What i want to do is to stop the outside interface to be able to send tcp 80 out to that ip, so that users cant access the site. I couldnt change the outbound list on the inside interface because it's for outgoing_src not destinations.

Any ideas?

gfullage · ‎11-16-2002

You shouldn't need the "permit all" outbound statement. Outbounds are not like access-lists. The PIX is probably seeing that and allowing the traffic through. there's an example in teh command reference (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm#xtocid47) that shows you how to do this.

pokey · ‎11-24-2002

i got rid of the permit statement and also tried getting rid of the outbound statement on the inside interface and it still doesnt work? could this be an ios issue?

gfullage · ‎11-24-2002

What do you mean "also tried getting rid of the outbound statement on the inside interface", how do you expect it to work if you get rid of the outbound statement?

When your users browse to this web site, are they using the name or the actual IP address? If they're using a name, are you sure that name maps to this IP address specifically? What if they put http://65.89.168.6 in their browser, does that work correctly?

Can you enable syslogging and then try and go to that web site and send us the syslogs? Can you include the full PIX config (omit the password lines and change the public IP addresses)?

pokey · ‎11-24-2002

This is what we get.. this is my pc 128.129.226.74.. as u can see i can get to the url

304001: 128.129.226.74 Accessed URL 65.89.168.6:/

304001: 128.129.226.74 Accessed URL 65.89.168.6:/assets/images/bg_black_blue.gif

with

apply (inside) 11 outgoing_src

apply (outside) 10 outgoing_dest

and with just

apply (outside) 10 outgoing_dest

we get the same thing.

this is the list

outbound 10 deny 65.89.168.4 255.255.255.255 80 tcp

outbound 10 deny 65.240.226.201 255.255.255.255 80 tcp

outbound 10 deny 65.89.168.6 255.255.255.255 80 tcp

outbound 10 deny 64.127.186.78 255.255.255.255 80 tcp

outbound 10 deny 65.89.168.4 255.255.255.255 0 tcp

outbound 10 deny 65.240.226.201 255.255.255.255 0 tcp

outbound 10 deny 65.89.168.6 255.255.255.255 0 tcp

outbound 10 deny 64.127.186.78 255.255.255.255 0 tcp

outbound 10 deny 65.89.168.4 255.255.255.255 0 ip

outbound 10 deny 65.240.226.201 255.255.255.255 0 ip

outbound 10 deny 65.89.168.6 255.255.255.255 0 ip

outbound 10 deny 64.127.186.78 255.255.255.255 0 ip

the outbound 11 list is to permit some devices accessing the web, that why a outgoing source is used for the inside interface.

ssdata · ‎11-26-2002

Hi,

apply the outbound list to the inside interface:

apply (inside) 10 outgoing_dest

and use:

clear xlate

pokey · ‎11-26-2002

I can't apply the list on the inside interface because, there is an existing outbound list bound for that interface for outabound sources. This list is configured to permit certain ip's to be allow through to the outside. Without this list all ips will be able to go to the outside interface.

ssdata · ‎11-27-2002

Hi,

apply another outbound list to the inside interface. There can be more than one outbound group applied in one interface. If you need to permit few and deny many users, use "outbound 11 deny 0 0" and after that permit particular hosts. As you know, outbound lists are processed linearily and the most specific rule "wins".