Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Simple PIX question

I'm a PIX newbie, but I am trying to block 2 people from surfing the web.

These are the commands I tried:

access-list 105 deny tcp host <ip> any eq www

access-list 105 deny tcp host <ip> any eq www

access-group 105 in interface inside

After doing so, no one could surf the net. What stupid mistake am I making? Thanks.

8 REPLIES
New Member

Re: Simple PIX question

sorry for the dup

New Member

Re: Simple PIX question

try something like this

outbound deny 10.xxx.xxx.xxx 255.255.255.255 80 tcp

apply (if-name) outgoing_dest

--Brian

New Member

Re: Simple PIX question

No one can surf the net because it’s an implicit entry at the end of your access-list which deny all traffic “deny ip any any” this is a standard behaviour for all access-list.

After denying traffic for certain host add an entry which allows traffic for the rest of the hosts.

access-list 105 deny tcp host any eq www

access-list 105 deny tcp host any eq www

access-list 105 permit ip any

access-group 105 in interface inside

-- Bjorn

New Member

Re: Simple PIX question

Well the outbound commands didn't work, but the access-list 105 permit statement did the trick. I knew I had to do that on routers, but for some reason I thought the PIX didn't need the permit statement at the end.

Thanks for your help.

Silver

Re: Simple PIX question

Abruso,

Normally, you wold not have to have a permit statement when inside users are initiating sessions to the outside, that is, if your securitylevels are configured correctly (default they are correct).

I have seen some strange behaviour on version 6.2.2 and higher, where the PIX does seem to need the permit statement. But I think this is an error. As you can read on CCO about the ASA it normally should let them through when travveling from inside to outside, because if it sees no matchng rule it would apply the implicit rule. The implicit rule is not alwaays deny any any (as another guy stated in one of the replies), but it is depending on the securitylevels. If travelling from high to low security the implicit rule should be permit an any (if no other rule matches)

Hope this helps in understanding.

Leo

New Member

Re: Simple PIX question

That's what I thought. The security levels are set up correctly on the interfaces. Inside is 100 and Outside is 0. I'm not really sure why the permit statement was needed. Oh well, as long as it works :).

Thanks.

Silver

Re: Simple PIX question

Hi,

Just to clarify the concept on this -

ASA allows traffic from inside to outside by default. But, when you apply the ACL on the inside interface and then behavior is just like router ACL that is there is an explicit deny at the end of the ACL. Thats the reason, permit is doing the job for you. There is no issues with 6.2.2 and above with ACL.

I hope this helps ! Regards,

Mynul

Silver

Re: Simple PIX question

Hi,

I hate to admit, but I have to agree with Mynul. If an ACL is applied, it does indeed adds an implicit "deny any any".

Sorry for providing you with incorrect information.

Only is no ACL is applied the default behaviour is depending on securitylevels, and all traffic from inside to outside would be permitted.

Kind regards,

Leo

109
Views
0
Helpful
8
Replies