hotdiggetydawg
asked on
PIX Access list restrictions
I am a Cisco/PIX newbie and have recently acquired a PIX 056e firewall. I have set up the basics, interfaces DCHP, Nat etc, and now need to fine tune further. I need to setup access lists to deny all inside users with the exception of internet access and outside DNS lookup.
Also only one inside host (192.160.0.2) to have unrestricted access.
This is what I've got so far.
access-list outbound permit tcp host any any eq 80
access-list outbound permit udp any any eq 53
access-list outbound permit ip 192.160.0.2 any
access-list outbound deny ip any any
access-group outbound in interface inside
This is off the top of my head and havent tried this config yet. Can anyone verify?
Also only one inside host (192.160.0.2) to have unrestricted access.
This is what I've got so far.
access-list outbound permit tcp host any any eq 80
access-list outbound permit udp any any eq 53
access-list outbound permit ip 192.160.0.2 any
access-list outbound deny ip any any
access-group outbound in interface inside
This is off the top of my head and havent tried this config yet. Can anyone verify?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What is your end goal? What it is that you are specifically trying to block?
Do you have a policy of "permit by exception" that you are trying to implement? What is your policy? What are the exceptions?
If no policy, then back to the first question - what is it you are trying to block outbound? Everything is permitted outbound by default with no access-lists applied. Once you do apply an acl, then you have to be careful what you wish for because you may find it difficult to troubleshoot. As grblades mentions above, what about email outbound, ftp, pop3, Instant Messenger, etc.. Are you restricting access to those protocols?
There are better ways to monitor/restrict users internet habits. First and formost is a written policy.
Do you have a policy of "permit by exception" that you are trying to implement? What is your policy? What are the exceptions?
If no policy, then back to the first question - what is it you are trying to block outbound? Everything is permitted outbound by default with no access-lists applied. Once you do apply an acl, then you have to be careful what you wish for because you may find it difficult to troubleshoot. As grblades mentions above, what about email outbound, ftp, pop3, Instant Messenger, etc.. Are you restricting access to those protocols?
There are better ways to monitor/restrict users internet habits. First and formost is a written policy.
ASKER
Sorry, I should have explained in more detail.
This is a home project with the goal of understanding the pix. I plan to configure FTP and Email at a later date. All I'm really interested in at the moment is the logical syntax and construct of access-lists.
My main objective at the moment is to start with a completly restricted pix then grant access rights as I go along.
I also read a cisco doc stating that it is now best practice to override the default behaviour by blocking all traffic from inside to outside and only allowing required traffic to exit. Did I misread?
This is a home project with the goal of understanding the pix. I plan to configure FTP and Email at a later date. All I'm really interested in at the moment is the logical syntax and construct of access-lists.
My main objective at the moment is to start with a completly restricted pix then grant access rights as I go along.
I also read a cisco doc stating that it is now best practice to override the default behaviour by blocking all traffic from inside to outside and only allowing required traffic to exit. Did I misread?
Permitting only specific outbound traffic is more secure and the way that I prefer to do it. Enabling everything outbound leaves you more open to trojan programs. For example the new virus released last week tricks people into downloading the code off the website on a high port number. A lot of virus scanners dont detect the email but the access-lists I have defined would have stopped the virus from being able to download.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
nice one, thanks for the clarification all.
> access-list outbound permit tcp host any any eq 80
Plus https:-
access-list outbound permit tcp host any any eq 443
> access-list outbound permit udp any any eq 53
> access-list outbound permit ip 192.160.0.2 any
Correct syntax is:-
access-list outbound permit ip host 192.160.0.2 any
> access-list outbound deny ip any any
> access-group outbound in interface inside
What about ftp and email?