PIX Access list restrictions

I am a Cisco/PIX newbie and have recently acquired a PIX 056e firewall. I have set up the basics, interfaces DCHP, Nat etc, and now need to fine tune further. I need to setup access lists to deny all inside users with the exception of internet access and outside DNS lookup.

Also only one inside host (192.160.0.2) to have unrestricted access.

This is what I've got so far.

access-list outbound permit tcp host any any eq 80
access-list outbound permit udp any any eq 53
access-list outbound permit ip 192.160.0.2 any
access-list outbound deny ip any any
access-group outbound in interface inside

This is off the top of my head and havent tried this config yet. Can anyone verify?
hotdiggetydawgAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi hotdiggetydawg,
> access-list outbound permit tcp host any any eq 80
Plus https:-
access-list outbound permit tcp host any any eq 443

> access-list outbound permit udp any any eq 53
> access-list outbound permit ip 192.160.0.2 any
Correct syntax is:-
access-list outbound permit ip host 192.160.0.2 any

> access-list outbound deny ip any any
> access-group outbound in interface inside

What about ftp and email?
0
grbladesCommented:
Missed a couple of typos.

access-list outbound permit tcp any any eq 80
access-list outbound permit tcp any any eq 443
access-list outbound permit udp any any eq 53
access-list outbound permit ip host 192.160.0.2 any
access-list outbound deny ip any any
access-group outbound in interface inside
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
What is your end goal? What it is that you are specifically trying to block?
Do you have a policy of "permit by exception" that you are trying to implement? What is your policy? What are the exceptions?
If no policy, then back to the first question - what is it you are trying to block outbound? Everything is permitted outbound by default with no access-lists applied. Once you do apply an acl, then you have to be careful what you wish for because you may find it difficult to troubleshoot. As grblades mentions above, what about email outbound, ftp, pop3, Instant Messenger, etc.. Are you restricting access to those protocols?
There are better ways to monitor/restrict users internet habits. First and formost is a written policy.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

hotdiggetydawgAuthor Commented:
Sorry, I should have explained in more detail.

This is a home project with the goal of understanding the pix. I plan to configure FTP and Email at a later date. All I'm really interested in at the moment is the logical syntax and construct of access-lists.

My main objective at the moment is to start with a completly restricted pix then grant access rights as I go along.

I also read a cisco doc stating that it is now best practice to override the default behaviour by blocking all traffic from inside to outside and only allowing required traffic to exit. Did I misread?
0
grbladesCommented:
Permitting only specific outbound traffic is more secure and the way that I prefer to do it. Enabling everything outbound leaves you more open to trojan programs. For example the new virus released last week tricks people into downloading the code off the website on a high port number. A lot of virus scanners dont detect the email but the access-lists I have defined would have stopped the virus from being able to download.
0
lrmooreCommented:
Thanks! The picture is clear now...
No, I don't think you misread anything. There is a lot of talk within the industry about a policy of "permit by exception" which I eluded to above. Cisco's default behavior of "permit all" has come under fire recently. That is permit all OUTbound, INbound has always been by exception only.
 Just keep the syntax in mind:
   access-list <name> tcp|udp|ip <source> <mask> <destination> <mask> <operator> <port>
 and the construct of top-down processing. Each packet is evaluated top-down until a match is found, so the order is very important. There is an implied "deny all" at the end of any acl, so you do not have to explicitly write it out

the keyword "host" can be used in front of a specific IP instead of the IP address and mask 255.255.255.255
  i.e  "access-list outbound permit ip host 192.160.0.2 any"
is same as:
   access-list outbound permit ip 192.160.0.2 255.255.255.255 any

Remember to always re-apply the acl to the interface after making any changes:
   access-group outbound in interface inside

Not so on a router, but on a PIX, an access-list can only be applied "in" on any interface
0
hotdiggetydawgAuthor Commented:
nice one, thanks for the clarification all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.