Deny access from inside to internet

Jaro · ‎11-22-2018

Hello, I need to deny any traffic from my internal network to the internet, but I cannot do any any, because I need to logg it and there is so much traffic.

I tried to deny traffic from any to outside(interface), but this is not working.

I can add public ranges, but it is not very clear I think, my question is if exist something better.

Thank you

Soporte Chile Orange Business Services · ‎11-22-2018

Nelson Neto's answer is correct

fbabashahi · ‎11-22-2018

Hi , if you can , try to deny some particular protocols in TCP/UDP ports from your inside net as a source to destination any with ports like DNS(port 53),WWW(port 80)

Nelson Neto · ‎11-22-2018

Hello,

But do you want to block the entry and exit of all traffic?

But you can create a rule:

access-list inside_dany_net extended deny tcp any any eq 80
access-list inside_dany_net extended deny tcp any any eq 443
access-list inside_dany_net extended deny tcp any any eq 8080
access-list inside_dany_net extended deny tcp any any eq 53
access-list inside_dany_net extended deny udp any any eq 53

access-group inside_dany_net out interface inside

But I recommend doing this by obj group to stay more organized.

Jaro · ‎11-22-2018

Hello,

thank you for answers, but if traffic will go with port, let´s say 22,21 it will not deny communication.

To be clear, I have already made rule deny any any from any to any, it is okay, no traffic will go anywhere, but problem is with logs, i need to log only traffic which will go from inside to the Internet (not only few ports, but all range of ports).

Of course, I can enable logs on rule any any, but there is 33 000 matches per 2 minutes, so I need to make specific rule for logs.

Thank you

Steven Williams · ‎11-24-2018

I personally do not know why anyone would want to do this, but I would use Sourcefire for it personally.