11-22-2018 06:21 AM - edited 02-21-2020 08:29 AM
Hello, I need to deny any traffic from my internal network to the internet, but I cannot do any any, because I need to logg it and there is so much traffic.
I tried to deny traffic from any to outside(interface), but this is not working.
I can add public ranges, but it is not very clear I think, my question is if exist something better.
Thank you
11-22-2018 07:07 AM - edited 11-22-2018 07:08 AM
Nelson Neto's answer is correct
11-22-2018 07:09 AM
Hi , if you can , try to deny some particular protocols in TCP/UDP ports from your inside net as a source to destination any with ports like DNS(port 53),WWW(port 80)
11-22-2018 07:41 AM
Hello,
But do you want to block the entry and exit of all traffic?
But you can create a rule:
access-list inside_dany_net extended deny tcp any any eq 80
access-list inside_dany_net extended deny tcp any any eq 443
access-list inside_dany_net extended deny tcp any any eq 8080
access-list inside_dany_net extended deny tcp any any eq 53
access-list inside_dany_net extended deny udp any any eq 53
access-group inside_dany_net out interface inside
But I recommend doing this by obj group to stay more organized.
11-22-2018 11:50 PM
Hello,
thank you for answers, but if traffic will go with port, let´s say 22,21 it will not deny communication.
To be clear, I have already made rule deny any any from any to any, it is okay, no traffic will go anywhere, but problem is with logs, i need to log only traffic which will go from inside to the Internet (not only few ports, but all range of ports).
Of course, I can enable logs on rule any any, but there is 33 000 matches per 2 minutes, so I need to make specific rule for logs.
Thank you
11-24-2018 03:45 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide