11-01-2002 10:57 AM - edited 02-20-2020 10:20 PM
Hi,
A customer wants to lock down his open ports going outbound. It's ok to allow http, but he wants everything else closed down. I don't think this can be accomplished with the Pix, right ? I mean, if I block all ports other than say tcp 80, then when even that protocol negotiates a higher number, the connection will fail. Is there a way to do established ?
Has anyone successfully blocked IM at a minimum ?
--Jon
11-01-2002 11:45 AM
It's quite common to filter outbound traffic from the inside interface. Example:
ip address inside 192.168.1.254 255.255.255.0
access-list inside-out permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside-out permit tcp 192.168.1.0 255.255.255.0 any eq 443
access-group inside-out in interface inside
This would block all outbound traffic except ports 80 (www) and 443 (secure www)
11-01-2002 11:57 AM
And the Pix is then capable of handling the connection when it handshakes to a higher port ??? Does the pix bypass the acl once the traffic is established ?
11-01-2002 12:08 PM
That entire process happens after the access list is checked, so it's not affected.
Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide