This sounds simple, but I don't see how to do it.
How can I block an IP address from going outbound to the Internet? Should I use and access-list, conduit, etc.? Excuse my ignorance.
You can use an access-list applied on the inside interface to deny the outbound connection.
Or you can use a shun command for blocking a IP in all directions (pixos 6.0 or later)
The idea is to use an accesslist to block outgoing trafiic and to bind this accesslist to the inside interface. In the following example I allow users to use their browsers i.e. port 80 but also to browse websites usign SSL (port 443). All other trafic (e.g. telnet, FTP) is blocked.
access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq 443
access-list user_punishment deny ip any any
access-group user_punishment in interface inside
The 3rd item in the accesslist is not needed but it help understanding the proccess.
Thanks for the help. I didn't create the access-group to bind the list to an interface.
One more question ... in your example, when I create the access-group does that only bind acl user_punishment to the inside interface or does it bind all acls to that interface?
Much easy than build an access or conduit, is using the command icmp. You can try this.
icmp deny host a.b.c.d interface <--- this can be inside or outside
Wouldn't that just prevent ICMP echo-replys from that PIX interface?
try access-l acl_in deny ip host a.b.c.d any
access-l acl_in permit ip any any
access-g acl_in in interface inside