04-05-2004 08:24 PM - edited 02-20-2020 11:19 PM
I am configuring a PIX 515e. Want to deny all outgoing traffic but the ports I allow. I was trying to configure a service group to use inside of PDM for web traffic. I add http and https but the rule does not work.
I can deny all traffic but to try and allow it without using the all TCP traffic does not work.
Is there a list of what the services convert to and which are need to do simple transactions. (ie Browse the web and send and recieve email)
04-06-2004 12:41 AM
HI,
Here are the sample config:
object-group service InternetTCP tcp
port-object eq http
port-object eq https
port-object eq domain
access-list acl_out permit tcp host 10.5.70.25 any object-group InternetTCP
access-group acl_out in interface inside.
Make sure the inside can connect to outside before you apply for the access-group.
HATO
04-07-2004 03:10 PM
Thank you for the info but once I apply the access group to the interface I lose the ability to browse.
Any ideas?
04-07-2004 06:31 PM
Hi,
Try to log everything,
PIX(config)# logging timestamp
PIX(config)# logging buffer debugging
PIX(config)# logging on
PIX(config)# show log
Please verify the log, make sure your tcp traffic won;t got blocked. When blocked try to add the tcp/udp ports to the service-group
HATO
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide