I'm trying to block certain protocols across the entire network, i.e. ftp, pop3 etc.... but not having much joy with access lists, below is my current running config. All inbound rules work 100%, just strugling with the "inside out" logic, note I'm testing with the web protocol as the net result is an easy one to test
When you state " All inbound rules work 100%" are you referring to the inbound traffic to the outside interface or the inbound traffic to the inside interface. Also, are you trying to apply an access list to the inside interface? In the config above there is no access applied to the inside interface.
Yes I'm referring to inbound traffic on the outside interface which is working fine. I'm trying to apply an access lists to the inside int. Can you provide an example of the required access lists please
Hi there - you cannot use the "out" keyword in PIX software 6.x. At minimum 7.x is required. This cannot be installed on a PIX 501 as it is not supported.
There might be a work around though... what exactly are you trying to accomplish? Block web access for inside users? What?
Cheers!
0
The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.
So you just block using the "in" keyword for the inside interface since you can't use the "out" keyword.
Like this:
access-list inside deny tcp any any eq ftp
access-list inside permit ip any any
access-group outside in interface inside
to add more rules, just add another line above the first one with your protocol in the place of X
So my "interpretation" of "access-group inside in interface inside" is:-
""allow access-list "inside" to the "inside" interface"" I would have thought the logic would be:-
"access-group inside in interface outside"
I guess the above would be the logical command, but any info as to Cisco logic would be great!
Sorry to be a pain, but I've justed started configuring my Cisco PIX 501 this week, but already making some good progress i.e. PAT to my test Exchange mware box (& I'm not using PDM at all, as I feel it detracts from using Cisco and prefer to use CLI)