×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Security, hacker detection & forensics FAQ

Access Lists

Create an outbound restriction for an interface by baddos
Posted: 12 Dec 02 (Edited 21 Mar 03)

I wanted to restrict computer from my inside network from access certain network resources on the Internet. By default the PIX will allow traffic from a higher level security access to access through a lower level (i.e. Inside can go outside, but not vs.). This can be done by applying an inbound access-list to the inside interface.

It doesn't make sense setting up an inbound access-list to control outbound access, but you'll see how it works next.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
!Below Line blocks ALL access to www.playboy.com
access-list 101 deny ip any host 209.247.228.201
!Below Lines allow ftp, dns, www, pop3, ntp, news, imap, and ssl
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq nntp
access-list 101 permit udp any any eq ntp
access-list 101 permit tcp any any eq imap4
access-list 101 permit tcp any any eq https
!Below line applies this to the inbound of Inside
access-group 101 in interface inside


This access-list blocks every thing except DNS, News, HTTP, NTP, IMAP, POP3, SSL, FTP. It also blocks all access to 209.247.228.201.

You can modify this access-list to suite your needs. I use it to block access to instant messaging servers, and other servers that are normally permitted under the allowed ports.

Back to Security, hacker detection & forensics FAQ Index
Back to Security, hacker detection & forensics Forum


My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close