cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
11
Replies

Locking outbound connection on PIX

support
Level 1
Level 1

Hi there,

Could you please advise on how to limit our Outbound connection only letting network users to access HTTP and servers SMTP, DNS etc...

We're currently using PIX515 with the latest sotware.

Thank you in advance.

11 Replies 11

jackko
Level 7
Level 7

you may configure access list and apply that onto the inside interface of the pix. eg

access-l xxx permit tcp any eq http

access-l xxx permit tcp any eq smtp

access-g xxx in inter inside

one thing should be noticed is that everything else will be blocked. the way i would suggest is to block user ip range only. in that case you, as an admin, plus servers will still have full access. if you think so,

access-l xxx permit tcp any eq http

access-l xxx permit tcp any eq smtp

access-l xxx deny ip any

access-l xxx permit ip any

access-g xxx in inter inside

hope this helps

cheers jackko for the reply.

but how do i apply this if i have 10.0.0.10 to 20 for the Servers and 10.0.0.20 to 50 Users?

you can use 'object-group' command. create a network group and add all the user ip into the group. then create access list using the group name rather than ip address. you may also want to re-configure the dhcp pool into proper subnet, as the command doesn't support ip address range.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1038172

hope this helps

thanks i've read that on the docs. im considering using object group. definitely!

btw with all the virus and trojan going around. would it be posible to start blocking all the ports first then open all those are necessary :-

access-l block deny ip any any

access-l block permit tcp host any eq www

access-g block in interface inside

i tried doing that but my i still cant browse the web. i have a local DNS server on our network i tried adding

access-l block permit tcp host <192.168.0.x> any eq 53

still no joy. any ideas?

thanks again!

Once a match is made the pix does not compare it to the rest of the access-list. It just drops the packet.

There is an implicit deny all at the end of each access-list, so simply open the ones you want, and the rest will be blocked.

the access list order is important as the pix checks it from the top to the bottom. ie. the first one you put in there is to deny all traffic.

simply re-order the access list and it should work. btw you don't really need to have 'deny ip any any' as it is the default statement at the end of all access list.

access-l block permit tcp host any eq www

access-l block deny ip any any

access-g block in interface inside

good luck.

great! but how come when i did that, i cant browse the web even though i've allowed my ip for www.

i've also noticed, my internal dns is not resolving anymore.

is there anything missing or need to do?

thanks again!

you need to add another access list for the dns. remember to put it above the 'deny any any'

still no joy! i cant browse the web nor resolve any ip.

access-list acc-out permit tcp any host eq 53

access-list acc-in permit tcp host eq 53

access-list acc-in permit tcp host any eq 80

access-list acc-in deny ip any any

static (inside,outside) netmask 255.255.255.255 0 0

access-group acc-out in interface outside

access-group acc-in in interface inside

am i missing anything on my config?

thanks alot!

Add this to your configuration as dns can use either protocol.

static (inside, outside) netmask 255.255.255.255 0 0

access-list acc-in permit udp host any eq domain

access-list acc-out permit udp any host eq domain

Its advisable locating this dns server in your DMZ.

Hey guys! Thanks for all your help!

Everything seems to be locked down. I can sleep at night now!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: