I have read that by default, on PIX 501 all outbound traffic is allowed. I was wondering if that could be reversed. Deny all outbound traffic except for specfic ports from the internal network.
The pix is in a small office area that just needs port 80 and maybe 25. I want to reduce outbound traffic to just the one's I specify. Any luck in doing that without a 100 acl's? I have also read that acl's are performed in order of the config file, so if I deny all outbound traffic, will all remaining acl's be null and void?
You can do this with access-list also. The ACL's are processed in order (line for line). You can have 100 ACL's in your config file, but you can only have one bound to an interface per direction, so if you have a ACL configured for inbound traffic, it will process that one ACL line for line until it finds a match. If a match is not found, there is an implicit deny at the end of all ACL's, so the packet will be dropped.
I have a ton of questions reqarding the pix os. I guess most of which are theory sort of questions. Why are things done in certain way sorta thing. For instance. Out of the box the 501 allows outbound traffic. It appears that as soon as I apply the first ACL that is no longer the case. Is that correct?
I don't quite understand the fixup protocol. I have read that they are predefined in the pix to listen on those ports, adding functionality like web filters and mailguard. I will not be using these features at this time. Any reason to keep the fixup protocols enabled?
fixup protocols do different things for different protocols - fixup protocol smtp limits inbound smtp connects (provided you opened the port) to basic smtp commands, and hides banners. This breaks ms exchange smtp. Fixup protocol dns allows only one reply per request to come in, and checks to make sure that it is dns traffic, and not just something from port 53 to a high numbered port.
ACLs bound "in" to the inside it will stop "all" outbound traffic, and only allow that which is permitted in the acl to pass. Remember, at the end of all CIsco (ios or pixen) ACLS is an implicit deny all statement that will catch anything that hasn't already been matched by a rule.
So, you really want to read up on the docs, but as a rule, fixup protocol is a good thing, except for us exchange smtp users.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...