Create an outbound restriction for an interface

I wanted to restrict computer from my inside network from access certain network resources on the Internet. By default the PIX will allow traffic from a higher level security access to access through a lower level (i.e. Inside can go outside, but not vs.). This can be done by applying an inbound access-list to the inside interface.

It doesn't make sense setting up an inbound access-list to control outbound access, but you'll see how it works next.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
!Below Line blocks ALL access to www.playboy.com
access-list 101 deny ip any host 209.247.228.201
!Below Lines allow ftp, dns, www, pop3, ntp, news, imap, and ssl
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq nntp
access-list 101 permit udp any any eq ntp
access-list 101 permit tcp any any eq imap4
access-list 101 permit tcp any any eq https
!Below line applies this to the inbound of Inside
access-group 101 in interface inside


This access-list blocks every thing except DNS, News, HTTP, NTP, IMAP, POP3, SSL, FTP. It also blocks all access to 209.247.228.201.

You can modify this access-list to suite your needs. I use it to block access to instant messaging servers, and other servers that are normally permitted under the allowed ports.