Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trouble restricting outbound traffic

Status
Not open for further replies.
looking4info

looking4info

MIS
Dec 31, 2003
3
US
I seem to have trouble restricting outbound traffic and cant figure out the reason why.
I want to block all outgoing traffic except what I want to go out. I want to allow my mailserver, dns, ftp, http, https, 2080, and to make sure my site-to-site VPN, and Cisco VPN clients still work OK.
I've been looking through these threads and found "Access-list for pix 515" thread the closest to what I'm tring to do.
I replaced my access-list entry:
access-list insideout permit ip 172.16.0.0 255.255.0.0 any
with entries of:
access-list insideout permit tcp any any eq ftp
access-list insideout permit tcp any any eq ftp-data
access-list insideout permit tcp any any eq domain
access-list insideout permit udp any any eq domain
access-list insideout permit tcp any any eq www
access-list insideout permit tcp any any eq https
access-list insideout permit tcp any any eq pop3
access-list insideout permit tcp any any eq smtp
access-list insideout permit tcp any any eq imap4
access-list insideout permit tcp any any eq nntp
access-list insideout permit udp any any eq ntp
access-group insideout in interface inside
However, after implementing this change nothing could access the internet.
I've included my Config below:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ret.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host 21.35.55.230 eq smtp
access-list acl_out permit tcp any host 21.35.55.231 eq www
access-list acl_out permit tcp any host 21.35.55.231 eq https
access-list acl_out permit tcp any host 21.35.55.237 eq www
access-list acl_out permit tcp any host 21.35.55.237 eq citrix-ica
access-list acl_out permit tcp host 66.147.24.178 host 21.35.55.230 eq pop3
access-list acl_out permit tcp 67.75.0.0 255.255.0.0 host 21.35.55.231 eq ftp
access-list acl_out permit tcp 64.48.90.0 255.255.255.240 host 21.35.55.231 eq ftp
access-list acl_out permit tcp 12.207.130.0 255.255.255.240 host 21.35.55.231 eq ftp
access-list acl_out permit tcp 12.207.130.0 255.255.255.240 host 21.35.55.231 eq ftp-data
access-list acl_out permit ip host 199.67.138.14 host 21.35.55.231
access-list acl_out permit udp host 199.67.138.14 host 21.35.55.231
access-list acl_out permit ip host 199.67.138.106 host 21.35.55.231
access-list acl_out permit udp host 199.67.138.106 host 21.35.55.231
access-list acl_out permit ip host 199.67.140.14 host 21.35.55.231
access-list acl_out permit udp host 199.67.140.14 host 21.35.55.231
access-list acl_out permit ip host 199.67.140.106 host 21.35.55.231
access-list acl_out permit udp host 199.67.140.106 host 21.35.55.231
access-list 101 permit ip host 172.16.16.251 10.19.3.0 255.255.255.0
access-list 101 permit ip host 172.16.16.5 10.19.3.0 255.255.255.0
access-list 101 permit ip 172.16.16.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list 101 permit ip 172.16.17.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list 101 permit ip host 172.16.16.251 10.19.4.0 255.255.255.0
access-list 101 permit ip host 172.16.16.5 10.19.4.0 255.255.255.0
access-list 101 permit ip host 172.16.16.8 10.19.4.0 255.255.255.0
access-list 101 permit ip host 172.16.16.14 10.19.4.0 255.255.255.0
access-list 101 permit ip host 172.16.16.251 10.19.5.0 255.255.255.0
access-list 101 permit ip host 172.16.16.5 10.19.5.0 255.255.255.0
access-list 101 permit ip host 172.16.17.92 10.19.5.0 255.255.255.0
access-list 101 permit ip host 172.16.16.251 10.19.6.0 255.255.255.0
access-list 101 permit ip host 172.16.16.3 10.19.6.0 255.255.255.0
access-list 101 permit ip host 172.16.16.4 10.19.6.0 255.255.255.0
access-list 101 permit ip host 172.16.16.251 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.16.5 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.16.3 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.16.4 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.16.8 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.16.9 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.16.14 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.16.127 10.19.9.0 255.255.255.0
access-list 101 permit ip host 172.16.17.92 10.19.1.0 255.255.255.0
access-list 101 permit ip host 172.16.16.213 10.19.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.0.0 10.19.10.0 255.255.255.0
access-list 101 permit ip host 172.16.16.199 10.19.7.0 255.255.255.0
access-list nonat permit ip 172.16.16.0 255.255.252.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 172.16.0.0 255.255.0.0 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.16.4 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.16.8 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.16.9 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.16.14 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.16.127 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.16.63 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.16.157 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.17.62 10.0.10.0 255.255.255.0
access-list insideout permit ip host 172.16.17.93 10.0.10.0 255.255.255.0
access-list insideout deny ip 172.16.16.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list insideout deny ip 172.16.17.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list insideout permit tcp 172.16.0.0 255.255.0.0 host 10.10.10.254 eq www
access-list insideout permit tcp host 172.16.16.68 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.16.68 any
access-list insideout permit tcp host 172.16.16.69 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.16.69 any
access-list insideout permit tcp host 172.16.16.129 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.16.129 any
access-list insideout permit tcp host 172.16.16.231 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.16.231 any
access-list insideout permit tcp host 172.16.16.236 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.16.236 any
access-list insideout permit tcp host 172.16.16.244 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.16.244 any
access-list insideout permit tcp host 172.16.16.246 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.16.246 any
access-list insideout permit tcp host 172.16.17.2 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.2 any
access-list insideout permit tcp host 172.16.17.4 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.4 any
access-list insideout permit tcp host 172.16.17.22 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.22 any
access-list insideout permit tcp host 172.16.17.23 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.23 any
access-list insideout permit tcp host 172.16.17.24 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.24 any
access-list insideout permit tcp host 172.16.17.25 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.25 any
access-list insideout permit tcp host 172.16.17.27 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.27 any
access-list insideout permit tcp host 172.16.17.46 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.46 any
access-list insideout permit tcp host 172.16.17.51 host 216.235.250.11 eq www
access-list insideout deny ip host 172.16.17.51 any
access-list insideout permit ip 172.16.0.0 255.255.0.0 any
access-list 102 permit ip 172.16.16.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list 102 permit ip 172.16.17.0 255.255.255.0 10.0.10.0 255.255.255.0
pager lines 24
logging on
logging buffered errors
logging trap debugging
logging host inside 172.16.16.251
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
mtu outside 1500
mtu inside 1500
ip address outside 21.35.55.226 255.255.255.240
ip address inside 172.16.16.76 255.255.252.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnPPP 10.19.1.1-10.19.1.254
ip local pool vpn003 10.19.3.1-10.19.3.254
ip local pool vpn004 10.19.4.1-10.19.4.254
ip local pool vpn009 10.19.9.1
ip local pool vpnONE 10.19.10.1-10.19.10.32
ip local pool vpn005 10.19.5.1-10.19.5.254
ip local pool vpn006 10.19.6.1-10.19.6.3
ip local pool vpn007 10.19.7.1
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 21.35.55.227
failover ip address inside 172.16.16.103
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 21.35.55.231 255.255.255.255 0 0
static (inside,outside) tcp 21.35.55.231 https 172.16.17.210 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 21.35.55.231 ftp 172.16.16.7 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 21.35.55.237 255.255.255.255 0 0
static (inside,outside) tcp 21.35.55.237 citrix-ica 172.16.17.92 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) 21.35.55.230 172.16.16.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group insideout in interface inside
route outside 0.0.0.0 0.0.0.0 21.35.55.225 1
route inside 172.16.32.0 255.255.255.0 172.16.16.254 1
route inside 172.16.48.0 255.255.255.0 172.16.16.254 1
route inside 172.16.56.0 255.255.255.0 172.16.16.254 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthOutbound protocol tacacs+
aaa-server AuthOutbound (inside) host 172.16.16.251 cisco timeout 15
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthOutbound
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.16.251 PIXconfig.txt
virtual http 10.10.10.254
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt uauth allow-http-cache
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set myset
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 102
crypto map mymap 1 set peer 66.150.xxx.xxx
crypto map mymap 1 set transform-set myset
crypto map mymap 1 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map mymap 999 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 66.150.xxx.xxx netmask 255.255.255.192 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup salesmen address-pool vpn003
vpngroup salesmen dns-server 172.16.16.251
vpngroup salesmen wins-server 172.16.16.5
vpngroup salesmen default-domain ret.com
vpngroup salesmen idle-time 1800
vpngroup salesmen password ********
vpngroup salesmen1 address-pool vpn004
vpngroup salesmen1 dns-server 172.16.16.251
vpngroup salesmen1 wins-server 172.16.16.5
vpngroup salesmen1 default-domain ret.com
vpngroup salesmen1 idle-time 1800
vpngroup salesmen1 password ********
vpngroup salesmen2 address-pool vpn009
vpngroup salesmen2 dns-server 172.16.16.251
vpngroup salesmen2 wins-server 172.16.16.5
vpngroup salesmen2 default-domain ret.com
vpngroup salesmen2 idle-time 1800
vpngroup salesmen2 password ********
vpngroup salesmen3 address-pool vpnONE
vpngroup salesmen3 dns-server 172.16.16.251
vpngroup salesmen3 wins-server 172.16.16.5
vpngroup salesmen3 default-domain ret.com
vpngroup salesmen3 idle-time 1800
vpngroup salesmen3 password ********
vpngroup salesmen4 address-pool vpn005
vpngroup salesmen4 dns-server 172.16.16.251
vpngroup salesmen4 wins-server 172.16.16.5
vpngroup salesmen4 default-domain ret.com
vpngroup salesmen4 idle-time 1800
vpngroup salesmen4 password ********
vpngroup salesmen5 address-pool vpn007
vpngroup salesmen5 dns-server 172.16.16.251
vpngroup salesmen5 wins-server 172.16.16.5
vpngroup salesmen5 default-domain ret.com
vpngroup salesmen5 idle-time 1800
vpngroup salesmen5 password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.16.127 255.255.255.255 inside
ssh timeout 60
console timeout 0
vpdn group vpn accept dialin pptp
vpdn group vpn ppp authentication pap
vpdn group vpn ppp authentication chap
vpdn group vpn ppp authentication mschap
vpdn group vpn ppp encryption mppe 40
vpdn group vpn client configuration address local vpnPPP
vpdn group vpn client configuration dns 172.16.16.251
vpdn group vpn client configuration wins 172.16.16.5
vpdn group vpn pptp echo 60
vpdn group vpn client authentication local
vpdn username mexicoPPP password *********
vpdn enable outside
vpdn enable inside
terminal width 80
: end
 
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
800
Shmid
Shmid
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
193
Russtoleum
Russtoleum
jfp23
  • Locked
  • Question
ASA 5512x 9.3 version Outbound connection issues
Replies
0
Views
113
jfp23
jfp23
xylax
  • Locked
  • Question
Redirecting HTTP traffic from INSIDE to OUTSIDE using ASA NATs
Replies
0
Views
102
xylax
xylax
JMCraig
  • Locked
  • Question
Outbound traffic works; inbound does not
Replies
3
Views
127
nerdasaurus
nerdasaurus

Part and Inventory Search

Sponsor

Back
Top