cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


532
Views
0
Helpful
5
Replies
Beginner

Deny access from inside to internet

Hello, I need to deny  any traffic from my internal network to the internet, but I cannot do any any, because I need to logg it and there is so much traffic.

 

I tried to deny traffic from any to outside(interface), but this is not working.

I can add public ranges, but it is not very clear I think, my question is if exist something better.

 

Thank you

Everyone's tags (1)
5 REPLIES 5

Re: Deny access from inside to internet

Nelson Neto's answer is correct

Beginner

Re: Deny access from inside to internet

Hi , if you can , try to deny some particular protocols in TCP/UDP ports from your inside net as a source to destination any with ports like DNS(port 53),WWW(port 80)

 

 

Highlighted
Beginner

Re: Deny access from inside to internet

Hello,

  

But do you want to block the entry and exit of all traffic?


But you can create a rule:


access-list inside_dany_net extended deny tcp any any eq 80
access-list inside_dany_net extended deny tcp any any eq 443
access-list inside_dany_net extended deny tcp any any eq 8080
access-list inside_dany_net extended deny tcp any any eq 53
access-list inside_dany_net extended deny udp any any eq 53

access-group inside_dany_net out interface inside

 

But I recommend doing this by obj group to stay more organized.

Beginner

Re: Deny access from inside to internet

Hello,

 

thank you for answers, but if traffic will go with port, let´s say 22,21 it will not deny communication.

To be clear, I have already made rule deny any any from any to any, it is okay, no traffic will go anywhere, but problem is with logs, i need to log only traffic which will go from inside to the Internet (not only few ports, but all range of ports).

 

Of course, I can enable logs on rule any any, but there is 33 000 matches per 2 minutes, so I need to make specific rule for logs.

 

Thank you

Enthusiast

Re: Deny access from inside to internet

I personally do not know why anyone would want to do this, but I would use Sourcefire for it personally.
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here