https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287732#M594537 <HTML><HEAD></HEAD><BODY><P>Add this to your configuration as dns can use either protocol.</P><P></P><P>static (inside, outside) <GLOBAL_IP> <LOCAL_IP> netmask 255.255.255.255 0 0 </LOCAL_IP></GLOBAL_IP></P><P>access-list acc-in permit udp host <DNS_LOCAL_IP> any eq domain</DNS_LOCAL_IP></P><P>access-list acc-out permit udp any host <DNS_GLOBAL_IP> eq domain</DNS_GLOBAL_IP></P><P></P><P></P><P>Its advisable locating this dns server in your DMZ. </P></BODY></HTML> Tue, 24 Feb 2004 21:48:02 GMT laje 2004-02-24T21:48:02Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287722#M594481 <P>Hi there,</P><P></P><P>Could you please advise on how to limit our Outbound connection only letting network users to access HTTP and servers SMTP, DNS etc...</P><P></P><P>We're currently using PIX515 with the latest sotware.</P><P></P><P>Thank you in advance.</P> Fri, 21 Feb 2020 07:14:56 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287722#M594481 support 2020-02-21T07:14:56Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287723#M594484 <HTML><HEAD></HEAD><BODY><P>you may configure access list and apply that onto the inside interface of the pix. eg</P><P></P><P>access-l xxx permit tcp <USER ip=""> any eq http</USER></P><P>access-l xxx permit tcp <USER ip=""> any eq smtp</USER></P><P>access-g xxx in inter inside</P><P></P><P>one thing should be noticed is that everything else will be blocked. the way i would suggest is to block user ip range only. in that case you, as an admin, plus servers will still have full access. if you think so,</P><P></P><P>access-l xxx permit tcp <USER ip=""> any eq http</USER></P><P>access-l xxx permit tcp <USER ip=""> any eq smtp</USER></P><P>access-l xxx deny ip <USER ip=""> any</USER></P><P>access-l xxx permit ip <LAN ip=""> any</LAN></P><P>access-g xxx in inter inside</P><P></P><P></P><P>hope this helps</P></BODY></HTML> Tue, 17 Feb 2004 23:55:29 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287723#M594484 jackko 2004-02-17T23:55:29Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287724#M594486 <HTML><HEAD></HEAD><BODY><P>cheers jackko for the reply.</P><P></P><P>but how do i apply this if i have 10.0.0.10 to 20 for the Servers and 10.0.0.20 to 50 Users?</P></BODY></HTML> Wed, 18 Feb 2004 14:57:38 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287724#M594486 support 2004-02-18T14:57:38Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287725#M594487 <HTML><HEAD></HEAD><BODY><P>you can use 'object-group' command. create a network group and add all the user ip into the group. then create access list using the group name rather than ip address. you may also want to re-configure the dhcp pool into proper subnet, as the command doesn't support ip address range.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1038172" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1038172</A></P><P></P><P>hope this helps</P></BODY></HTML> Thu, 19 Feb 2004 21:11:04 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287725#M594487 jackko 2004-02-19T21:11:04Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287726#M594489 <HTML><HEAD></HEAD><BODY><P>thanks i've read that on the docs. im considering using object group. definitely!</P><P></P><P>btw with all the virus and trojan going around. would it be posible to start blocking all the ports first then open all those are necessary :-</P><P></P><P>access-l block deny ip any any </P><P>access-l block permit tcp host <MY ip=""> any eq www</MY></P><P>access-g block in interface inside</P><P></P><P>i tried doing that but my i still cant browse the web. i have a local DNS server on our network i tried adding</P><P></P><P>access-l block permit tcp host &lt;192.168.0.x&gt; any eq 53</P><P></P><P>still no joy. any ideas? </P><P></P><P>thanks again!</P><P></P></BODY></HTML> Fri, 20 Feb 2004 18:58:42 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287726#M594489 support 2004-02-20T18:58:42Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287727#M594492 <HTML><HEAD></HEAD><BODY><P>Once a match is made the pix does not compare it to the rest of the access-list. It just drops the packet.</P><P></P><P>There is an implicit deny all at the end of each access-list, so simply open the ones you want, and the rest will be blocked.</P></BODY></HTML> Sat, 21 Feb 2004 06:11:04 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287727#M594492 jdepies 2004-02-21T06:11:04Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287728#M594506 <HTML><HEAD></HEAD><BODY><P>the access list order is important as the pix checks it from the top to the bottom. ie. the first one you put in there is to deny all traffic.</P><P></P><P>simply re-order the access list and it should work. btw you don't really need to have 'deny ip any any' as it is the default statement at the end of all access list.</P><P></P><P>access-l block permit tcp host <MY ip=""> any eq www </MY></P><P>access-l block deny ip any any </P><P>access-g block in interface inside </P><P></P><P>good luck.</P></BODY></HTML> Sun, 22 Feb 2004 23:34:07 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287728#M594506 jackko 2004-02-22T23:34:07Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287729#M594513 <HTML><HEAD></HEAD><BODY><P>great! but how come when i did that, i cant browse the web even though i've allowed my ip for www.</P><P></P><P>i've also noticed, my internal dns is not resolving anymore.</P><P></P><P>is there anything missing or need to do?</P><P></P><P>thanks again!</P></BODY></HTML> Mon, 23 Feb 2004 21:07:18 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287729#M594513 support 2004-02-23T21:07:18Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287730#M594524 <HTML><HEAD></HEAD><BODY><P>you need to add another access list for the dns. remember to put it above the 'deny any any'</P></BODY></HTML> Tue, 24 Feb 2004 07:18:14 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287730#M594524 jackko 2004-02-24T07:18:14Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287731#M594532 <HTML><HEAD></HEAD><BODY><P>still no joy! i cant browse the web nor resolve any ip.</P><P></P><P>access-list acc-out permit tcp any host <EXTERNAL ip=""> eq 53</EXTERNAL></P><P>access-list acc-in permit tcp host <DNS internal="" ip=""> eq 53</DNS></P><P>access-list acc-in permit tcp host <MY ip=""> any eq 80</MY></P><P>access-list acc-in deny ip any any </P><P>static (inside,outside) <EXTERNAL ip=""> <DNS internal="" ip=""> netmask 255.255.255.255 0 0</DNS></EXTERNAL></P><P>access-group acc-out in interface outside</P><P>access-group acc-in in interface inside</P><P></P><P>am i missing anything on my config?</P><P></P><P>thanks alot!</P><P></P><P></P></BODY></HTML> Tue, 24 Feb 2004 20:11:17 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287731#M594532 support 2004-02-24T20:11:17Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287732#M594537 <HTML><HEAD></HEAD><BODY><P>Add this to your configuration as dns can use either protocol.</P><P></P><P>static (inside, outside) <GLOBAL_IP> <LOCAL_IP> netmask 255.255.255.255 0 0 </LOCAL_IP></GLOBAL_IP></P><P>access-list acc-in permit udp host <DNS_LOCAL_IP> any eq domain</DNS_LOCAL_IP></P><P>access-list acc-out permit udp any host <DNS_GLOBAL_IP> eq domain</DNS_GLOBAL_IP></P><P></P><P></P><P>Its advisable locating this dns server in your DMZ. </P></BODY></HTML> Tue, 24 Feb 2004 21:48:02 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287732#M594537 laje 2004-02-24T21:48:02Z https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287733#M594542 <HTML><HEAD></HEAD><BODY><P>Hey guys! Thanks for all your help! </P><P></P><P>Everything seems to be locked down. I can sleep at night now!</P><P></P><P></P></BODY></HTML> Wed, 10 Mar 2004 17:57:33 GMT https://community.cisco.com/t5/network-security/locking-outbound-connection-on-pix/m-p/287733#M594542 support 2004-03-10T17:57:33Z