PIX - Deny outbound traffic - Cabling-Design.com Forums

All of my PIX's allow all outbound traffic as this is the out of box configuration. I do a basic setup as follows when I need to allow inbound:

access-list outside_access_in permit tcp any interface outside eq XXXX ..again.. ..again.. ..etc.. access-group outside_access_in in interface outside

(NOTE: I don't always permit from any host or permit to the interface, I may do host to host, etc)

Anyway. This lets me allow ports I need, (80, 443, 3899, whatever). But it allows everything outbound. I want to know the proper way to accomplish 2 goals:

1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the outbound ports to allow 2) Keeping my allowed inbounc access, Specify the outbound ports to block, Allow all other outbound ports

In article , ESM wrote: :All of my PIX's allow all outbound traffic as this is the out of box :configuration.

:I want to know the proper way to accomplish 2 :goals:

:1) Keeping my allowed inbound access, Deny ALL outboudn access, Specify the :outbound ports to allow :2) Keeping my allowed inbounc access, Specify the outbound ports to block, :Allow all other outbound ports

Create an access-list and access-group ACLNAME in interface inside For effect #2, end it with 'permit ACLNAME ip any any'; for effect #1, don't.

Note: you cannot deny all outbound access and then specify ports to allow out: ACLs are processed from top to bottom and the first match is the overall result. Just rely on the fact that everything you do not permit will be blocked if you have any ACL on the interface. The "allow everything outbound" default only applies if there is no ACL.