02-17-2004 02:19 PM - edited 02-20-2020 11:14 PM
Hi there,
Could you please advise on how to limit our Outbound connection only letting network users to access HTTP and servers SMTP, DNS etc...
We're currently using PIX515 with the latest sotware.
Thank you in advance.
02-17-2004 03:55 PM
you may configure access list and apply that onto the inside interface of the pix. eg
access-l xxx permit tcp
access-l xxx permit tcp
access-g xxx in inter inside
one thing should be noticed is that everything else will be blocked. the way i would suggest is to block user ip range only. in that case you, as an admin, plus servers will still have full access. if you think so,
access-l xxx permit tcp
access-l xxx permit tcp
access-l xxx deny ip
access-l xxx permit ip
access-g xxx in inter inside
hope this helps
02-18-2004 06:57 AM
cheers jackko for the reply.
but how do i apply this if i have 10.0.0.10 to 20 for the Servers and 10.0.0.20 to 50 Users?
02-19-2004 01:11 PM
you can use 'object-group' command. create a network group and add all the user ip into the group. then create access list using the group name rather than ip address. you may also want to re-configure the dhcp pool into proper subnet, as the command doesn't support ip address range.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1038172
hope this helps
02-20-2004 10:58 AM
thanks i've read that on the docs. im considering using object group. definitely!
btw with all the virus and trojan going around. would it be posible to start blocking all the ports first then open all those are necessary :-
access-l block deny ip any any
access-l block permit tcp host
access-g block in interface inside
i tried doing that but my i still cant browse the web. i have a local DNS server on our network i tried adding
access-l block permit tcp host <192.168.0.x> any eq 53
still no joy. any ideas?
thanks again!
02-20-2004 10:11 PM
Once a match is made the pix does not compare it to the rest of the access-list. It just drops the packet.
There is an implicit deny all at the end of each access-list, so simply open the ones you want, and the rest will be blocked.
02-22-2004 03:34 PM
the access list order is important as the pix checks it from the top to the bottom. ie. the first one you put in there is to deny all traffic.
simply re-order the access list and it should work. btw you don't really need to have 'deny ip any any' as it is the default statement at the end of all access list.
access-l block permit tcp host
access-l block deny ip any any
access-g block in interface inside
good luck.
02-23-2004 01:07 PM
great! but how come when i did that, i cant browse the web even though i've allowed my ip for www.
i've also noticed, my internal dns is not resolving anymore.
is there anything missing or need to do?
thanks again!
02-23-2004 11:18 PM
you need to add another access list for the dns. remember to put it above the 'deny any any'
02-24-2004 12:11 PM
still no joy! i cant browse the web nor resolve any ip.
access-list acc-out permit tcp any host
access-list acc-in permit tcp host
access-list acc-in permit tcp host
access-list acc-in deny ip any any
static (inside,outside)
access-group acc-out in interface outside
access-group acc-in in interface inside
am i missing anything on my config?
thanks alot!
02-24-2004 01:48 PM
Add this to your configuration as dns can use either protocol.
static (inside, outside)
access-list acc-in permit udp host
access-list acc-out permit udp any host
Its advisable locating this dns server in your DMZ.
03-10-2004 09:57 AM
Hey guys! Thanks for all your help!
Everything seems to be locked down. I can sleep at night now!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: