Solved

Block out going ports

Posted on 2003-12-03
7
379 Views
Last Modified: 2010-04-09
How would I go about blocking all non standard out going ports on a Cisco 515e?
I thought I could do a
access-list inside_out deny tcp any any
access-list inside_out permit any any eq www
access-list inside_out permit any any eq https
 (and what ever other port I wanted)
then do a
access-group inside_out in interface inside
but when I do everything is blocked. What am I missing?
0
Comment
Question by:klause2
7 Comments
 
LVL 24

Expert Comment

by:shivsa
ID: 9869039
check this link.
http://www.experts-exchange.com/Networking/Q_20720593.html
and check the accepted answer from geoffryn.
0
 

Author Comment

by:klause2
ID: 9869395
As I read it those are incoming ports not outgoing. Do I just simple apply the same lists to my inside interface?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 9869550
You are correct in that the way you have it, everything gets blocked.
Remember that an acl is processed top-down. Your first line "deny tcp any any" effectively blocks it all. The easier way would be:

access-list oubound permit tcp any any eq 80
access-list outbound permit udp any any eq 53  <-- must permit dns querries -->
access-list outbound permit tcp any any eq 443
<etc>

If it's not in the permit list, it is automatically denied.

Depending on your OS version, you might want to look at the "outbound/apply" commands (only if using conduits)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Assisted Solution

by:TomCRiley
TomCRiley earned 250 total points
ID: 9869585
You need to permit before you deny.  If you deny all tcp traffic on the first line, then no tcp traffic will be allowed on the subsequent lines.  Not sure what you mean by "everything", but here's a start.

Wrong:
access-list inside_out deny tcp any any
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-group inside_out in interface inside

Right:
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-list inside_out deny tcp any any
access-group inside_out in interface inside

This will allow www and https outbound and will deny everything else (ip, udp, tcp, etc...).

Is that what you are looking for?

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869592
Looks like lrmoore and I posted simultaneously :)
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869605
Good point...the following wouldn't be needed:

access-list inside_out deny tcp any any

Tom
0
 

Author Comment

by:klause2
ID: 9904681
As I have 2 good answers I'll give you both points! Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question