Solved

Block out going ports

Posted on 2003-12-03
7
377 Views
Last Modified: 2010-04-09
How would I go about blocking all non standard out going ports on a Cisco 515e?
I thought I could do a
access-list inside_out deny tcp any any
access-list inside_out permit any any eq www
access-list inside_out permit any any eq https
 (and what ever other port I wanted)
then do a
access-group inside_out in interface inside
but when I do everything is blocked. What am I missing?
0
Comment
Question by:klause2
7 Comments
 
LVL 24

Expert Comment

by:shivsa
ID: 9869039
check this link.
http://www.experts-exchange.com/Networking/Q_20720593.html
and check the accepted answer from geoffryn.
0
 

Author Comment

by:klause2
ID: 9869395
As I read it those are incoming ports not outgoing. Do I just simple apply the same lists to my inside interface?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 9869550
You are correct in that the way you have it, everything gets blocked.
Remember that an acl is processed top-down. Your first line "deny tcp any any" effectively blocks it all. The easier way would be:

access-list oubound permit tcp any any eq 80
access-list outbound permit udp any any eq 53  <-- must permit dns querries -->
access-list outbound permit tcp any any eq 443
<etc>

If it's not in the permit list, it is automatically denied.

Depending on your OS version, you might want to look at the "outbound/apply" commands (only if using conduits)
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Assisted Solution

by:TomCRiley
TomCRiley earned 250 total points
ID: 9869585
You need to permit before you deny.  If you deny all tcp traffic on the first line, then no tcp traffic will be allowed on the subsequent lines.  Not sure what you mean by "everything", but here's a start.

Wrong:
access-list inside_out deny tcp any any
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-group inside_out in interface inside

Right:
access-list inside_out permit tcp any any eq www
access-list inside_out permit tcp any any eq https
access-list inside_out deny tcp any any
access-group inside_out in interface inside

This will allow www and https outbound and will deny everything else (ip, udp, tcp, etc...).

Is that what you are looking for?

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869592
Looks like lrmoore and I posted simultaneously :)
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9869605
Good point...the following wouldn't be needed:

access-list inside_out deny tcp any any

Tom
0
 

Author Comment

by:klause2
ID: 9904681
As I have 2 good answers I'll give you both points! Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now