Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
3
Replies

Outbound ACL's

Go to solution
Scott Payne
Level 1
Level 1

‎01-10-2011 09:15 AM - edited ‎03-11-2019 12:33 PM

I have been fighting the ackantta virus for quite some time now. The decision has been made to lock down every port except for a select few (e.g. 80, 443, 21, 8080...)

My question is, "How do I create an outbound ACL that blocks all outbound traffic except for specific ports. I alerady placed a block on the ports associated with ackantta.

BrandtASA# sh run | incl access-list out
access-list outside extended permit tcp any host 10.1.5.50 eq smtp
access-list outside extended permit tcp any host 10.1.5.80 eq smtp
access-list outside extended permit udp any any eq domain
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq https
access-list outside extended permit ip 10.0.50.0 255.255.255.0 any
access-list outside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit tcp any any eq pptp
access-list outside extended permit tcp any host 10.1.5.90 eq smtp
access-list outside extended permit tcp any host 10.1.5.91 eq smtp
access-list outside extended deny tcp any any eq smtp
access-list outside extended deny tcp any any eq whois
access-list outside extended deny udp any any eq 43
access-list outside extended deny tcp any any eq 1033
access-list outside extended deny udp any any eq 1033
access-list outside extended deny tcp any any eq 1035
access-list outside extended deny udp any any eq 1035
access-list outside extended deny tcp any any eq 1050
access-list outside extended deny udp any any eq 1050
access-list outside extended deny tcp any any eq 1052
access-list outside extended deny udp any any eq 1052
access-list outside extended deny tcp any any eq 1059
access-list outside extended deny udp any any eq 1059
access-list outside extended deny tcp any any eq 1060
access-list outside extended deny udp any any eq 1060
access-list outside extended deny tcp any any eq 1061
access-list outside extended deny udp any any eq 1061
access-list outside extended deny tcp any any eq 1062
access-list outside extended deny udp any any eq 1062
access-list outside extended deny tcp any any eq 1063
access-list outside extended deny udp any any eq 1063
access-list outside extended deny tcp any any eq 1070
access-list outside extended deny udp any any eq 1070
access-list outside extended deny tcp any any eq 1074
access-list outside extended deny udp any any eq 1074
access-list outside extended deny tcp any any eq 1087
access-list outside extended deny udp any any eq 1087
access-list outside extended deny tcp any any eq 1089
access-list outside extended deny udp any any eq 1089
access-list outside extended deny tcp any any eq 1090
access-list outside extended deny udp any any eq 1090
access-list outside extended deny tcp any any eq 1091
access-list outside extended deny udp any any eq 1091

I guess my very basic quesiton is....do I create permit statements just for the select few and deny all others?  I confused myself and have fallen and can't get up.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to Scott Payne

‎01-10-2011 09:59 AM

Hi Scott,

Exactly. All access-lists have an implicit 'deny ip any any' line at the end even though you can't see it in the config. Because ACLs are processed sequentially and processing stops as soon as a line matches, ACL processing will never go past your 'permit ip any any' line. Instead, just put permit lines for the specific ports you do want to allow and everything else will be denied by default.

-Mike

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎01-10-2011 09:17 AM

Hi Scott,

The easiest way would be to create permit lines only for the specific ports that you want to allow. All other ports will be denied by the implicit 'deny ip any any' rule at the end of every access-list.

Hope that helps.

-Mike

0 Helpful

Go to solution
Scott Payne
Level 1
Level 1
In response to mirober2

‎01-10-2011 09:41 AM

So I should just do something like the following:

1) remove access-list outside extended permit ip any any
2) add permit rules to specific ports such as access-list outside extended permit tcp any any eq www

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to Scott Payne

‎01-10-2011 09:59 AM

Hi Scott,

Exactly. All access-lists have an implicit 'deny ip any any' line at the end even though you can't see it in the config. Because ACLs are processed sequentially and processing stops as soon as a line matches, ACL processing will never go past your 'permit ip any any' line. Instead, just put permit lines for the specific ports you do want to allow and everything else will be denied by default.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card