Hello, I need to deny any traffic from my internal network to the internet, but I cannot do any any, because I need to logg it and there is so much traffic.
I tried to deny traffic from any to outside(interface), but this is not working.
I can add public ranges, but it is not very clear I think, my question is if exist something better.
Hi , if you can , try to deny some particular protocols in TCP/UDP ports from your inside net as a source to destination any with ports like DNS(port 53),WWW(port 80)
But do you want to block the entry and exit of all traffic?
But you can create a rule:
access-list inside_dany_net extended deny tcp any any eq 80
access-list inside_dany_net extended deny tcp any any eq 443
access-list inside_dany_net extended deny tcp any any eq 8080
access-list inside_dany_net extended deny tcp any any eq 53
access-list inside_dany_net extended deny udp any any eq 53
access-group inside_dany_net out interface inside
But I recommend doing this by obj group to stay more organized.
thank you for answers, but if traffic will go with port, let´s say 22,21 it will not deny communication.
To be clear, I have already made rule deny any any from any to any, it is okay, no traffic will go anywhere, but problem is with logs, i need to log only traffic which will go from inside to the Internet (not only few ports, but all range of ports).
Of course, I can enable logs on rule any any, but there is 33 000 matches per 2 minutes, so I need to make specific rule for logs.