Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Denying traffic from inside to internet

Hi everybody

I'm configuring a 515E and I want to deny all traffic from inside to internet except ports 80, 443, 25, 100 and 143. From default all traffic is allowed because inside interface has the higher security level, isn´t it? I know that I must use access-list, but I don´t know exactly how. Inside network is 10.112.11.0/24 and the internet router is 192.168.10.250 (PAT interface for outside is 192.168.10.1) Ports 25, 100 and 143 are opened by an Exchange Server in 10.112.11.180. I'm trying the following:

access-list ins_out permit tcp 10.112.11.180 any eq 25

access-list ins_out permit tcp 10.112.11.180 any eq 100

access-list ins_out permit tcp 10.112.11.180 any eq 143

access-list ins_out permit tcp 10.112.11.0 255.255.255.0 any eq 80

access-list ins_out permit tcp 10.112.11.0 255.255.255.0 any eq 443

access-list ins_out deny tcp any any

access-group ins_out in interface inside

???

Is it going to work? Any other idea?

Thanks in advance

1 REPLY
Cisco Employee

Re: Denying traffic from inside to internet

Thats true, by default, traffic from inside to outside will be permitted, unless otherwise denied explicitly using ACL.

You are on the right track creating an access-list and applying it to the inside interface.

Just a side note about iCMP

http://www.cisco.com/warp/public/110/31.html

HTH

R/Yusuf

116
Views
0
Helpful
1
Replies
CreatePlease to create content