Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

limit outbound access to http

Hi,

to limit outbound access to only http/s pop3 smtp to groups of pcs, i'm using :

access-list inside_access_in permit udp host landns any eq domain

access-list inside_access_in permit tcp object-group http-https any eq www

access-list inside_access_in permit tcp object-group http-https any eq https

access-list inside_access_in permit tcp object-group ftp any eq ftp

access-list inside_access_in permit tcp object-group pop3-smtp any eq pop3

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

access-list inside_access_in permit tcp object-group pop3-smtp any eq smtp

this doesn´t work!

i'm i missing something? i'm doing this in a

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

when i put

access-list inside_access_in permit ip any any

i get access but this is not my objective...

5 REPLIES
Gold

Re: limit outbound access to http

do "sh access-list inside_access_in" to verify whether the acl entries have been hitted or not.

New Member

Re: limit outbound access to http

yes they are used, but when i removed

access-list inside_access_in permit ip any any

game over i can't access any site

i can use nslookup and resolve the ip to dns but i can access either with ip or dns name

help needed and thanks for your reply

Gold

Re: limit outbound access to http

let forget the permit ip any any for a moment.

just would like to clarify, when you issue the command "sh access-list inside_access_in", the "hitcnt" of each entry is increasing or not.

e.g.

access-list inside_access_in line 1 permit udp host landns any eq domain (hitcnt=10)

access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=13)

access-list inside_access_in line 3 permit tcp object-group http-https any eq https (hitcnt=15)

access-list inside_access_in line 4 permit tcp object-group ftp any eq ftp (hitcnt=12)

access-list inside_access_in line 5 permit tcp object-group pop3-smtp any eq pop3 (hitcnt=11)

then kick off a new internet browsing session, and issue the command "sh access-list inside_access_in" again, you should seen the "hitcnt" for line 2 increased from 13 to 14.

e.g.

access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=14)

New Member

Re: limit outbound access to http

yes it increases

New Member

Re: limit outbound access to http

hi,

thanks for all of your anwsers!

my problem i guess was connected to syslog! :)

i had log all data logged via tcp, so when the syslog server could not be contacted because i only had access list to http,https,dns,ftp outside connections where dead...

i now have udp instead....

93
Views
0
Helpful
5
Replies
CreatePlease login to create content