Outbound ACL's

Scott Payne — Mon, 11 Mar 2019 19:33:14 GMT

I have been fighting the ackantta virus for quite some time now. The decision has been made to lock down every port except for a select few (e.g. 80, 443, 21, 8080...)

My question is, "How do I create an outbound ACL that blocks all outbound traffic except for specific ports. I alerady placed a block on the ports associated with ackantta.

BrandtASA# sh run | incl access-list out
access-list outside extended permit tcp any host 10.1.5.50 eq smtp
access-list outside extended permit tcp any host 10.1.5.80 eq smtp
access-list outside extended permit udp any any eq domain
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq https
access-list outside extended permit ip 10.0.50.0 255.255.255.0 any
access-list outside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit tcp any any eq pptp
access-list outside extended permit tcp any host 10.1.5.90 eq smtp
access-list outside extended permit tcp any host 10.1.5.91 eq smtp
access-list outside extended deny tcp any any eq smtp
access-list outside extended deny tcp any any eq whois
access-list outside extended deny udp any any eq 43
access-list outside extended deny tcp any any eq 1033
access-list outside extended deny udp any any eq 1033
access-list outside extended deny tcp any any eq 1035
access-list outside extended deny udp any any eq 1035
access-list outside extended deny tcp any any eq 1050
access-list outside extended deny udp any any eq 1050
access-list outside extended deny tcp any any eq 1052
access-list outside extended deny udp any any eq 1052
access-list outside extended deny tcp any any eq 1059
access-list outside extended deny udp any any eq 1059
access-list outside extended deny tcp any any eq 1060
access-list outside extended deny udp any any eq 1060
access-list outside extended deny tcp any any eq 1061
access-list outside extended deny udp any any eq 1061
access-list outside extended deny tcp any any eq 1062
access-list outside extended deny udp any any eq 1062
access-list outside extended deny tcp any any eq 1063
access-list outside extended deny udp any any eq 1063
access-list outside extended deny tcp any any eq 1070
access-list outside extended deny udp any any eq 1070
access-list outside extended deny tcp any any eq 1074
access-list outside extended deny udp any any eq 1074
access-list outside extended deny tcp any any eq 1087
access-list outside extended deny udp any any eq 1087
access-list outside extended deny tcp any any eq 1089
access-list outside extended deny udp any any eq 1089
access-list outside extended deny tcp any any eq 1090
access-list outside extended deny udp any any eq 1090
access-list outside extended deny tcp any any eq 1091
access-list outside extended deny udp any any eq 1091

I guess my very basic quesiton is....do I create permit statements just for the select few and deny all others? I confused myself and have fallen and can't get up.

Re: Outbound ACL's

mirober2 — Mon, 10 Jan 2011 17:17:54 GMT

Hi Scott,

The easiest way would be to create permit lines only for the specific ports that you want to allow. All other ports will be denied by the implicit 'deny ip any any' rule at the end of every access-list.

Hope that helps.

-Mike

Re: Outbound ACL's

Scott Payne — Mon, 10 Jan 2011 17:41:32 GMT

So I should just do something like the following:

1) remove access-list outside extended permit ip any any
2) add permit rules to specific ports such as access-list outside extended permit tcp any any eq www

Re: Outbound ACL's

mirober2 — Mon, 10 Jan 2011 17:59:55 GMT

Hi Scott,

Exactly. All access-lists have an implicit 'deny ip any any' line at the end even though you can't see it in the config. Because ACLs are processed sequentially and processing stops as soon as a line matches, ACL processing will never go past your 'permit ip any any' line. Instead, just put permit lines for the specific ports you do want to allow and everything else will be denied by default.

-Mike

topic Outbound ACL's in Network Security

Outbound ACL's

Re: Outbound ACL's

Re: Outbound ACL's

Re: Outbound ACL's