Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outbound Connections Questions

Status
Not open for further replies.
yanks2112

yanks2112

IS-IT--Management
Jan 5, 2004
110
US
Hi All

I am brand spanking new to the PIX world, so forgive me if this is a simple question. Actually, I think I know the answer but would like to confirm my suspisions.

I am currently running Symantec Enterprise Firewall 7 and am moving to PIX 7.0. I am creating outbound acls based on my symantec ruleset. My quesiton is this: Do I need to do this? Symantec denies everything by default so rules need to be created to allow traffic to flow over a given port. In PIX (it seems) the opposite is true. No rules need to be defined to get outbound access. Is this a secure configuration? Does anyone have acls pointing outbound that only allow certain ports (i.e., http telnet ftp) and denies all others? If so , how do you get that to work. It seems that you need to explicity deny rather than permit traffic to go out

Thanks for reading the long winded post, and agin sorry if it is really basic
 
Sort by date Sort by votes
Horus24,

Thanks, I read that. What I wound up finding (after repairing my head from knocking it against a wall) was to add a deny statement at the end of my outbound acl. I thought that it would be implicit given the fact that an acl was in place, but I guess not. Live and learn
Thanks!
 
Upvote 0 Downvote
By default traffic is allowed from a higher security level to a lower level. If you put an ACL on the inside interface, there will be an implicit "deny ip any any" at the end. It is a good idea to actually add that line in so you can see the hit count for traffic that you have forbidden. (You can add "log " and a level number to see what traffic is actually making the hit counts in your log file.)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hey Supergrrover

Thanks for the info, I'll defintly be logging the denied traffic
 
Upvote 0 Downvote
Spin up a syslog server. If you have a lot of traffic, the logs won't hold that much. Kiwi has a free one that I use and it is pretty good. (They also make syslog re-directors to send to a remote syslog server.)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

steve56k
  • Locked
  • Question
Number of connections for VPN tunnel
Replies
0
Views
162
steve56k
steve56k
RodneyMcSnow
  • Locked
  • Question
Windows 8.1 PRO has to open connections when NETSTAT is used.
Replies
0
Views
203
RodneyMcSnow
RodneyMcSnow
jfp23
  • Locked
  • Question
ASA 5512x 9.3 version Outbound connection issues
Replies
0
Views
204
jfp23
jfp23
rjwaunakee
  • Locked
  • Question
Allow Connections with Domain Names
Replies
0
Views
178
rjwaunakee
rjwaunakee
JMCraig
  • Locked
  • Question
Outbound traffic works; inbound does not
Replies
3
Views
198
nerdasaurus
nerdasaurus

Part and Inventory Search

Sponsor

Back
Top