Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Filtering outbound traffic with Pix

Hi,

A customer wants to lock down his open ports going outbound. It's ok to allow http, but he wants everything else closed down. I don't think this can be accomplished with the Pix, right ? I mean, if I block all ports other than say tcp 80, then when even that protocol negotiates a higher number, the connection will fail. Is there a way to do established ?

Has anyone successfully blocked IM at a minimum ?

--Jon

3 REPLIES
New Member

Re: Filtering outbound traffic with Pix

It's quite common to filter outbound traffic from the inside interface. Example:

ip address inside 192.168.1.254 255.255.255.0

access-list inside-out permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list inside-out permit tcp 192.168.1.0 255.255.255.0 any eq 443

access-group inside-out in interface inside

This would block all outbound traffic except ports 80 (www) and 443 (secure www)

New Member

Re: Filtering outbound traffic with Pix

And the Pix is then capable of handling the connection when it handshakes to a higher port ??? Does the pix bypass the acl once the traffic is established ?

New Member

Re: Filtering outbound traffic with Pix

That entire process happens after the access list is checked, so it's not affected.

Bob

105
Views
0
Helpful
3
Replies
CreatePlease login to create content