https://community.cisco.com/t5/network-security/pix-outbound-constraints/m-p/23314#M654948 <HTML><HEAD></HEAD><BODY><P>1) you can still use outbound statements, but they are not recommended.</P><P></P><P>2) No, there is not "out" parameter. Reason being, traffic coming "in" one interface has to go "out" another interface. So, better to block the traffic coming in, than going out.</P><P></P><P>In your case, you would apply an access-list inbound on the Inside interface. It would have "deny" statements for hosts going from the inside to the DMZ servers you don't want them to reach, and then a "permit ip any any" at the end for everything else.</P><P></P><P>Also, the Output Interpreter tool on CCO will soon have a conduit/outbound -&gt; ACL converter. Stay tuned.</P><P></P><P>Hope that helps,</P><P></P><P>David.</P></BODY></HTML> Wed, 05 Jun 2002 20:58:40 GMT David White 2002-06-05T20:58:40Z https://community.cisco.com/t5/network-security/pix-outbound-constraints/m-p/23313#M654947 <P>I'm in the process of converting from conduits to ACL and need some clarification on constraining outbound traffic. The situation is that inside zone hosts (highest security) are banned from certain DMZs (lower security).</P><P></P><P>I have been using outbound deny &amp; apply to enforce these constraints.</P><P></P><P>Questions:</P><P></P><P>1) Are these statements still current and recommended in an ACL environment?</P><P></P><P>2) The access-group documentation/syntax uses an "in" parameter but has no mention of whether there is an "out" parameter. Is there one?</P><P></P><P>TIA</P> Fri, 21 Feb 2020 06:05:11 GMT https://community.cisco.com/t5/network-security/pix-outbound-constraints/m-p/23313#M654947 cyee 2020-02-21T06:05:11Z https://community.cisco.com/t5/network-security/pix-outbound-constraints/m-p/23314#M654948 <HTML><HEAD></HEAD><BODY><P>1) you can still use outbound statements, but they are not recommended.</P><P></P><P>2) No, there is not "out" parameter. Reason being, traffic coming "in" one interface has to go "out" another interface. So, better to block the traffic coming in, than going out.</P><P></P><P>In your case, you would apply an access-list inbound on the Inside interface. It would have "deny" statements for hosts going from the inside to the DMZ servers you don't want them to reach, and then a "permit ip any any" at the end for everything else.</P><P></P><P>Also, the Output Interpreter tool on CCO will soon have a conduit/outbound -&gt; ACL converter. Stay tuned.</P><P></P><P>Hope that helps,</P><P></P><P>David.</P></BODY></HTML> Wed, 05 Jun 2002 20:58:40 GMT https://community.cisco.com/t5/network-security/pix-outbound-constraints/m-p/23314#M654948 David White 2002-06-05T20:58:40Z