09-25-2003 12:44 PM - edited 02-20-2020 11:00 PM
I'm a PIX newbie, but I am trying to block 2 people from surfing the web.
These are the commands I tried:
access-list 105 deny tcp host <ip> any eq www
access-list 105 deny tcp host <ip> any eq www
access-group 105 in interface inside
After doing so, no one could surf the net. What stupid mistake am I making? Thanks.
09-25-2003 01:35 PM
sorry for the dup
09-25-2003 01:38 PM
try something like this
outbound deny 10.xxx.xxx.xxx 255.255.255.255 80 tcp
apply (if-name)
--Brian
09-25-2003 01:48 PM
No one can surf the net because its an implicit entry at the end of your access-list which deny all traffic deny ip any any this is a standard behaviour for all access-list.
After denying traffic for certain host add an entry which allows traffic for the rest of the hosts.
access-list 105 deny tcp host
access-list 105 deny tcp host
access-list 105 permit ip
access-group 105 in interface inside
-- Bjorn
09-25-2003 02:52 PM
Well the outbound commands didn't work, but the access-list 105 permit statement did the trick. I knew I had to do that on routers, but for some reason I thought the PIX didn't need the permit statement at the end.
Thanks for your help.
09-26-2003 08:19 AM
Abruso,
Normally, you wold not have to have a permit statement when inside users are initiating sessions to the outside, that is, if your securitylevels are configured correctly (default they are correct).
I have seen some strange behaviour on version 6.2.2 and higher, where the PIX does seem to need the permit statement. But I think this is an error. As you can read on CCO about the ASA it normally should let them through when travveling from inside to outside, because if it sees no matchng rule it would apply the implicit rule. The implicit rule is not alwaays deny any any (as another guy stated in one of the replies), but it is depending on the securitylevels. If travelling from high to low security the implicit rule should be permit an any (if no other rule matches)
Hope this helps in understanding.
Leo
09-26-2003 09:20 AM
That's what I thought. The security levels are set up correctly on the interfaces. Inside is 100 and Outside is 0. I'm not really sure why the permit statement was needed. Oh well, as long as it works :).
Thanks.
09-26-2003 03:14 PM
Hi,
Just to clarify the concept on this -
ASA allows traffic from inside to outside by default. But, when you apply the ACL on the inside interface and then behavior is just like router ACL that is there is an explicit deny at the end of the ACL. Thats the reason, permit is doing the job for you. There is no issues with 6.2.2 and above with ACL.
I hope this helps ! Regards,
Mynul
09-29-2003 12:09 AM
Hi,
I hate to admit, but I have to agree with Mynul. If an ACL is applied, it does indeed adds an implicit "deny any any".
Sorry for providing you with incorrect information.
Only is no ACL is applied the default behaviour is depending on securitylevels, and all traffic from inside to outside would be permitted.
Kind regards,
Leo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: