?
Solved

Block out going ports

Posted on 2003-12-03
7
Medium Priority
?
393 Views
Last Modified: 2010-04-09
How would I go about blocking all non standard out going ports on a Cisco 515e?
I thought I could do a
access-list inside_out deny tcp any any
access-list inside_out permit any any eq www
access-list inside_out permit any any eq https
 (and what ever other port I wanted)
then do a
access-group inside_out in interface inside
but when I do everything is blocked. What am I missing?
0
Comment
Question by:klause2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 24

Expert Comment

by:shivsa
ID: 9869039
check this link.
http://www.experts-exchange.com/Networking/Q_20720593.html
and check the accepted answer from geoffryn.
0
 

Author Comment

by:klause2
ID: 9869395
As I read it those are incoming ports not outgoing. Do I just simple apply the same lists to my inside interface?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 9869550
You are correct in that the way you have it, everything gets blocked.
Remember that an acl is processed top-down. Your first line "deny tcp any any" effectively blocks it all. The easier way would be:

access-list oubound permit tcp any any eq 80
access-list outbound permit udp any any eq 53  <-- must permit dns querries -->
access-list outbound permit tcp any any eq 443
<etc>

If it's not in the permit list, it is automatically denied.

Depending on your OS version, you might want to look at the "outbound/apply" commands (only if using conduits)
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 2

Assisted Solution

by:TomCRiley
TomCRiley earned 1000 total points
ID: 9869585
You need to permit before you deny.  If you deny all tcp traffic on the first line, then no tcp traffic will be allowed on the subsequent lines.  Not sure what you mean by "everything", but here's a start.

Wrong:
access-list inside_out deny tcp any any
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-group inside_out in interface inside

Right:
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-list inside_out deny tcp any any
access-group inside_out in interface inside

This will allow www and https outbound and will deny everything else (ip, udp, tcp, etc...).

Is that what you are looking for?

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869592
Looks like lrmoore and I posted simultaneously :)
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869605
Good point...the following wouldn't be needed:

access-list inside_out deny tcp any any

Tom
0
 

Author Comment

by:klause2
ID: 9904681
As I have 2 good answers I'll give you both points! Thanks!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question