Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I want to block my outbound traffic with my Cisco PIX 501

Status
Not open for further replies.
Flixxie

Flixxie

Technical User
Jan 23, 2008
5
NL
I have a Cisco PIX for experimental use.
My problem is that all outbound traffic is allow?
Is there someone that can help me to block my outbound traffic.
Here is a example of my cisco script.

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Firewall
domain-name Pix.lan
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any eq access-list 101 permit tcp any eq pop3 any
access-list 101 permit tcp any eq domain any
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq https any
access-list 101 permit tcp any eq smtp any
access-list 101 deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.50-192.168.10.60 inside
dhcpd dns "DNS servers"
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
 
Sort by date Sort by votes
By default, traffic is allowed from high security interfaces to lower security interfaces without an access list. In your case, all traffic is allowed from "inside" to "outside".

To stop traffic from the inside to outside, you just need an ACL like you already have on the outside interface. For example, if you want to stop HTTP and HTTPS traffic, you could use:

Code: 
access-list 102 deny tcp any any eq www
access-list 102 deny tcp any any eq 443
access-list 102 permit ip any any

access-group 102 in interface inside

The "permit ip any any" command at the end allows all other traffic out. If you omit that, then no traffic will be allowed to pass. If you really want to block everything, then use:

Code: 
access-list 102 deny ip any any




Matt
CCIE Security
 
Upvote 0 Downvote
excellent! it's will work perfectly!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
2K
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
362
Rick998
Rick998
salanje87
  • Locked
  • Question
Block Broadcast storming.
Replies
3
Views
765
hairlessupportmonkey
hairlessupportmonkey
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
835
Johnkite
Johnkite

Part and Inventory Search

Sponsor

Back
Top