Re: How to block IP address from outbound Internet connections.

iholdings · ‎04-22-2002

Greetings,

This sounds simple, but I don't see how to do it.

How can I block an IP address from going outbound to the Internet? Should I use and access-list, conduit, etc.? Excuse my ignorance.

g.rodegari · ‎04-22-2002

Hi,

You can use an access-list applied on the inside interface to deny the outbound connection.

Or you can use a shun command for blocking a IP in all directions (pixos 6.0 or later)

Graz.

gradosavljevic · ‎04-23-2002

The idea is to use an accesslist to block outgoing trafiic and to bind this accesslist to the inside interface. In the following example I allow users to use their browsers i.e. port 80 but also to browse websites usign SSL (port 443). All other trafic (e.g. telnet, FTP) is blocked.

access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq 443

access-list user_punishment deny ip any any

access-group user_punishment in interface inside

The 3rd item in the accesslist is not needed but it help understanding the proccess.

Best regards

Goran

iholdings · ‎04-24-2002

Thanks for the help. I didn't create the access-group to bind the list to an interface.

One more question ... in your example, when I create the access-group does that only bind acl user_punishment to the inside interface or does it bind all acls to that interface?

e-estevez · ‎05-09-2002

Much easy than build an access or conduit, is using the command icmp. You can try this.

icmp deny host a.b.c.d interface <--- this can be inside or outside

Bye.

ddemers · ‎05-09-2002

Wouldn't that just prevent ICMP echo-replys from that PIX interface?

try access-l acl_in deny ip host a.b.c.d any

access-l acl_in permit ip any any

access-g acl_in in interface inside

gradosavljevic · ‎05-14-2002

I trust it only binds that particular ACL to the interface.

- Goran