cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
890
Views
0
Helpful
4
Replies

PIX -- Filtering outbound traffic?

gavinfoster
Level 1
Level 1

Hello experts,

I am trying to filter some outbound traffic but becoming confused!

If  I have a network on the DMZ interface, eg 192.168.1.0/24, by default  the implicit rules allow all traffic on this network to the outside  interface but deny access to the inside interface.

If I want to block an address in the DMZ from outside access I can use....

access-list inside_access_in extended deny ip host 192.168.1.38 any

.........but this overrides the implicit rule that allows  all traffic to the outside (lower security) interface and now all  traffic is blocked.

If I add...........

access-list inside_access_in extended permit ip host any any


.........now I am blocking only the one IP address but I have  overridden the 'deny any any' rule that stops traffic flowing to a  higher security interface.

How can I block a single address or subnet from the DMZ to the outside without permitting DMZ access to the inside?

Thanks for any help.

4 Replies 4

mirober2
Cisco Employee
Cisco Employee

Hi Gavin,

The simplest way to do this is to put an explicit deny statement with a destination of your inside subnet inbound on the DMZ interface. For example, if your inside subnet is 192.168.0.0/24, the ACL on the DMZ interface would look like this:

access-list dmz_access_in deny ip host 192.168.1.38 any
access-list dmz_access_in deny ip any 192.168.0.0 255.255.255.0
access-list dmz_access_in permit ip any any
access-group dmz_access_in in interface dmz

The above ACL would prevent 192.168.1.38 from getting to the outside, stop all hosts from accessing the inside subnet, and still allow all remaining access to the outside.

You could also do it using an outbound ACL on the inside interface, but this is much less commonly used. The ACL would look like this, which would deny any traffic from leaving the ASA on the inside interface that was sourced from a DMZ host, but allow all other traffic:

access-list inside_access_out deny ip 192.168.1.0 255.255.255.0 any
access-list inside_access_out permit ip any any
access-group inside_access_out out interface inside

More information about the ACL configurations can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/traffic.html

Hope that helps.

-Mike

Thanks Mike,

It all makes perfect sense when someone else says it!

I found it confusing that once I had added my own ACL the implicit rules are overridden and in order to keep traffic flowing I had to add

permit ip any any

which seems contradictory to the implicit rule

deny ip any any

The outbound acl is interesting, must admit I have never seen that before. Can you still only have one acl per interface, either inbound or outbound or can you have one of each?

Thanks

Gavin

Hi Gavin,

You can have both inbound and outbound ACLs applied to the same interface. In most scenarios though, inbound ACLs are enough to acheive what you want to do.

Hope that helps.

-Mike

mirober2
Cisco Employee
Cisco Employee

Removing duplicate post.

Message was edited by: mirober2

Review Cisco Networking for a $25 gift card