Solved

Block out going ports

Posted on 2003-12-03
7
382 Views
Last Modified: 2010-04-09
How would I go about blocking all non standard out going ports on a Cisco 515e?
I thought I could do a
access-list inside_out deny tcp any any
access-list inside_out permit any any eq www
access-list inside_out permit any any eq https
 (and what ever other port I wanted)
then do a
access-group inside_out in interface inside
but when I do everything is blocked. What am I missing?
0
Comment
Question by:klause2
7 Comments
 
LVL 24

Expert Comment

by:shivsa
ID: 9869039
check this link.
http://www.experts-exchange.com/Networking/Q_20720593.html
and check the accepted answer from geoffryn.
0
 

Author Comment

by:klause2
ID: 9869395
As I read it those are incoming ports not outgoing. Do I just simple apply the same lists to my inside interface?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 9869550
You are correct in that the way you have it, everything gets blocked.
Remember that an acl is processed top-down. Your first line "deny tcp any any" effectively blocks it all. The easier way would be:

access-list oubound permit tcp any any eq 80
access-list outbound permit udp any any eq 53  <-- must permit dns querries -->
access-list outbound permit tcp any any eq 443
<etc>

If it's not in the permit list, it is automatically denied.

Depending on your OS version, you might want to look at the "outbound/apply" commands (only if using conduits)
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 2

Assisted Solution

by:TomCRiley
TomCRiley earned 250 total points
ID: 9869585
You need to permit before you deny.  If you deny all tcp traffic on the first line, then no tcp traffic will be allowed on the subsequent lines.  Not sure what you mean by "everything", but here's a start.

Wrong:
access-list inside_out deny tcp any any
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-group inside_out in interface inside

Right:
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-list inside_out deny tcp any any
access-group inside_out in interface inside

This will allow www and https outbound and will deny everything else (ip, udp, tcp, etc...).

Is that what you are looking for?

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869592
Looks like lrmoore and I posted simultaneously :)
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869605
Good point...the following wouldn't be needed:

access-list inside_out deny tcp any any

Tom
0
 

Author Comment

by:klause2
ID: 9904681
As I have 2 good answers I'll give you both points! Thanks!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Checkpoint books 3 101
Exchange OWA - failed logins and brute force monitor 7 371
Sonicwall VPN / Net Extender - Bandwidth problem 5 123
PFsense box as firewall 5 67
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question