Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
3
Replies

Filtering outbound traffic with Pix

johutchins
Level 1
Level 1

‎11-01-2002 10:57 AM - edited ‎02-20-2020 10:20 PM

Hi,

A customer wants to lock down his open ports going outbound. It's ok to allow http, but he wants everything else closed down. I don't think this can be accomplished with the Pix, right ? I mean, if I block all ports other than say tcp 80, then when even that protocol negotiates a higher number, the connection will fail. Is there a way to do established ?

Has anyone successfully blocked IM at a minimum ?

--Jon

0 Helpful
3 Replies 3

bobd
Level 1
Level 1

‎11-01-2002 11:45 AM

It's quite common to filter outbound traffic from the inside interface. Example:

ip address inside 192.168.1.254 255.255.255.0

access-list inside-out permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list inside-out permit tcp 192.168.1.0 255.255.255.0 any eq 443

access-group inside-out in interface inside

This would block all outbound traffic except ports 80 (www) and 443 (secure www)

0 Helpful

johutchins
Level 1
Level 1
In response to bobd

‎11-01-2002 11:57 AM

And the Pix is then capable of handling the connection when it handshakes to a higher port ??? Does the pix bypass the acl once the traffic is established ?

0 Helpful

bobd
Level 1
Level 1
In response to johutchins

‎11-01-2002 12:08 PM

That entire process happens after the access list is checked, so it's not affected.

Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card