• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

Block out going ports

How would I go about blocking all non standard out going ports on a Cisco 515e?
I thought I could do a
access-list inside_out deny tcp any any
access-list inside_out permit any any eq www
access-list inside_out permit any any eq https
 (and what ever other port I wanted)
then do a
access-group inside_out in interface inside
but when I do everything is blocked. What am I missing?
0
klause2
Asked:
klause2
2 Solutions
 
shivsaCommented:
check this link.
http://www.experts-exchange.com/Networking/Q_20720593.html
and check the accepted answer from geoffryn.
0
 
klause2Author Commented:
As I read it those are incoming ports not outgoing. Do I just simple apply the same lists to my inside interface?
0
 
lrmooreCommented:
You are correct in that the way you have it, everything gets blocked.
Remember that an acl is processed top-down. Your first line "deny tcp any any" effectively blocks it all. The easier way would be:

access-list oubound permit tcp any any eq 80
access-list outbound permit udp any any eq 53  <-- must permit dns querries -->
access-list outbound permit tcp any any eq 443
<etc>

If it's not in the permit list, it is automatically denied.

Depending on your OS version, you might want to look at the "outbound/apply" commands (only if using conduits)
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
TomCRileyCommented:
You need to permit before you deny.  If you deny all tcp traffic on the first line, then no tcp traffic will be allowed on the subsequent lines.  Not sure what you mean by "everything", but here's a start.

Wrong:
access-list inside_out deny tcp any any
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-group inside_out in interface inside

Right:
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-list inside_out deny tcp any any
access-group inside_out in interface inside

This will allow www and https outbound and will deny everything else (ip, udp, tcp, etc...).

Is that what you are looking for?

Tom
0
 
TomCRileyCommented:
Looks like lrmoore and I posted simultaneously :)
0
 
TomCRileyCommented:
Good point...the following wouldn't be needed:

access-list inside_out deny tcp any any

Tom
0
 
klause2Author Commented:
As I have 2 good answers I'll give you both points! Thanks!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now