cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
4
Replies

Configure PIX to block outbound traffic.

smartnet
Level 1
Level 1

I am trying to configure my PIX to block outgoing traffic to a specific IP range. Below is the line that I put into the PIX...

access-list inside_access_out deny ip any 63.246.130.0 255.255.255.255

access-group inside_access_out in interface inside

With this line of code, all outgoing traffic is block, no matter where it is going. Any idea what I am missing?

Thanks,

Michael Laro

mlaro@devine.com

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

Always remember that there's an implict "deny everything" at the end of an access-list. By adding one line with a specific deny as you have, there's an additional line after that that says "deny everything else" and so everything is blocked. What you want is the following:

access-list inside_access_out deny ip any 63.246.130.0 255.255.255.255

access-list inside_access_out permit ip any any

access-group inside_access_out in interface inside

and you should be good to go.

Will the Pix translate the address/mask to all hosts on that network given the mask of 255.255.255.255?

That mask is for one host only.

Perfect! I put this config in and it worked great. I did however, following the other posts change the netmask from 255.255.255.255 to 255.255.255.0.

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: