Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
5
Replies

limit outbound access to http

joaquimlopes
Level 1
Level 1

‎10-24-2005 03:11 PM - edited ‎03-09-2019 12:48 PM

Hi,

to limit outbound access to only http/s pop3 smtp to groups of pcs, i'm using :

access-list inside_access_in permit udp host landns any eq domain

access-list inside_access_in permit tcp object-group http-https any eq www

access-list inside_access_in permit tcp object-group http-https any eq https

access-list inside_access_in permit tcp object-group ftp any eq ftp

access-list inside_access_in permit tcp object-group pop3-smtp any eq pop3

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

access-list inside_access_in permit tcp object-group pop3-smtp any eq smtp

this doesn´t work!

i'm i missing something? i'm doing this in a

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

when i put

access-list inside_access_in permit ip any any

i get access but this is not my objective...

Labels:
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎10-24-2005 09:14 PM

do "sh access-list inside_access_in" to verify whether the acl entries have been hitted or not.

0 Helpful

joaquimlopes
Level 1
Level 1
In response to jackko

‎10-25-2005 06:31 AM

yes they are used, but when i removed

access-list inside_access_in permit ip any any

game over i can't access any site

i can use nslookup and resolve the ip to dns but i can access either with ip or dns name

help needed and thanks for your reply

0 Helpful

jackko
Level 7
Level 7
In response to joaquimlopes

‎10-25-2005 03:43 PM

let forget the permit ip any any for a moment.

just would like to clarify, when you issue the command "sh access-list inside_access_in", the "hitcnt" of each entry is increasing or not.

e.g.

access-list inside_access_in line 1 permit udp host landns any eq domain (hitcnt=10)

access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=13)

access-list inside_access_in line 3 permit tcp object-group http-https any eq https (hitcnt=15)

access-list inside_access_in line 4 permit tcp object-group ftp any eq ftp (hitcnt=12)

access-list inside_access_in line 5 permit tcp object-group pop3-smtp any eq pop3 (hitcnt=11)

then kick off a new internet browsing session, and issue the command "sh access-list inside_access_in" again, you should seen the "hitcnt" for line 2 increased from 13 to 14.

e.g.

access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=14)

0 Helpful

joaquimlopes
Level 1
Level 1
In response to jackko

‎10-25-2005 03:58 PM

yes it increases

0 Helpful

joaquimlopes
Level 1
Level 1
In response to joaquimlopes

‎10-28-2005 01:58 PM

hi,

thanks for all of your anwsers!

my problem i guess was connected to syslog! :)

i had log all data logged via tcp, so when the syslog server could not be contacted because i only had access list to http,https,dns,ftp outside connections where dead...

i now have udp instead....

0 Helpful
Customers Also Viewed These Support Documents