Deny outbound traffic - permit by ip?

olson5000 · Jun 5, 2002

Is it common to deny tcp traffic entirely on ones network and only allow specific ip addresses out to the internet depending on port (80, 443, etc.)? Here is an example:

access-list account_in permit tcp 10.1.1.117 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.44 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.144 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.100 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.112 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.51 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.84 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.146 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.87 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.110 255.255.255.255 any eq 80
access-list account_in permit tcp 10.1.1.117 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.44 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.144 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.100 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.51 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.84 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.146 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.87 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.110 255.255.255.255 any eq 443
access-list account_in permit tcp 10.1.1.100 255.255.255.255 any eq 1070
access-list account_in permit tcp 10.1.1.100 255.255.255.255 any eq 1070
access-list account_in permit tcp 10.1.1.146 255.255.255.255 any eq 8080
access-list tsi_in deny ip any any
access-group tsi_in in interface inside
access-group account_in in interface inside

This is just a small example of my config. This is a real monster. Any suggestions or examples would be fantastic. Thanks.

yizhar · Jun 5, 2002

HI.

In a complex scenario, some solutions might help you manage it, like:

Using PDM for basic access-list management.

Using AAA server with authentication and authorization, like Cisco ACS server (this will cost you...).

Using a proxy server that will also be responsible for outbound policy instead of the pix, and the pix will allow only the proxy and other servers out (this will also cost some).

Defining a simplier security policy: simple policy = easier management.

You can do another trick with the pix - play with the "nat" command instead of access-list.
{Disable previous nat commands:}
no nat 1 0 0
clear xlate
no access-list account_in
{
access-list account_in permit tcp any any eq 80
access-list account_in permit tcp any any eq 443
access-list account_in .....
access-group account_in in interface inside
nat 1 10.1.1.117 255.255.255.255
nat 1 10.1.1.44 255.255.255.255
nat 1 10.1.1.144 255.255.255.255
etc...

BTW - you can not bound more then one access-list per interface!

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Deny outbound traffic - permit by ip?

olson5000

MIS

yizhar

MIS

Similar threads

Part and Inventory Search

Sponsor