topic Re: limit outbound access to http in Other Security Subjects

limit outbound access to http

joaquimlopes — Sat, 09 Mar 2019 20:48:58 GMT

Hi,

to limit outbound access to only http/s pop3 smtp to groups of pcs, i'm using :

access-list inside_access_in permit udp host landns any eq domain

access-list inside_access_in permit tcp object-group http-https any eq www

access-list inside_access_in permit tcp object-group http-https any eq https

access-list inside_access_in permit tcp object-group ftp any eq ftp

access-list inside_access_in permit tcp object-group pop3-smtp any eq pop3

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

access-list inside_access_in permit tcp object-group pop3-smtp any eq smtp

this doesn´t work!

i'm i missing something? i'm doing this in a

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

when i put

access-list inside_access_in permit ip any any

i get access but this is not my objective...

Re: limit outbound access to http

jackko — Tue, 25 Oct 2005 04:14:05 GMT

do "sh access-list inside_access_in" to verify whether the acl entries have been hitted or not.

Re: limit outbound access to http

joaquimlopes — Tue, 25 Oct 2005 13:31:40 GMT

yes they are used, but when i removed

access-list inside_access_in permit ip any any

game over i can't access any site

i can use nslookup and resolve the ip to dns but i can access either with ip or dns name

help needed and thanks for your reply

Re: limit outbound access to http

jackko — Tue, 25 Oct 2005 22:43:57 GMT

let forget the permit ip any any for a moment.

just would like to clarify, when you issue the command "sh access-list inside_access_in", the "hitcnt" of each entry is increasing or not.

e.g.

access-list inside_access_in line 1 permit udp host landns any eq domain (hitcnt=10)

access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=13)

access-list inside_access_in line 3 permit tcp object-group http-https any eq https (hitcnt=15)

access-list inside_access_in line 4 permit tcp object-group ftp any eq ftp (hitcnt=12)

access-list inside_access_in line 5 permit tcp object-group pop3-smtp any eq pop3 (hitcnt=11)

then kick off a new internet browsing session, and issue the command "sh access-list inside_access_in" again, you should seen the "hitcnt" for line 2 increased from 13 to 14.

e.g.

access-list inside_access_in line 2 permit tcp object-group http-https any eq www (hitcnt=14)

Re: limit outbound access to http

joaquimlopes — Tue, 25 Oct 2005 22:58:36 GMT

yes it increases

Re: limit outbound access to http

joaquimlopes — Fri, 28 Oct 2005 20:58:51 GMT

hi,

thanks for all of your anwsers!

my problem i guess was connected to syslog! :)

i had log all data logged via tcp, so when the syslog server could not be contacted because i only had access list to http,https,dns,ftp outside connections where dead...

i now have udp instead....