cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
6
Replies
Highlighted
Beginner

How to block IP address from outbound Internet connections.

Greetings,

This sounds simple, but I don't see how to do it.

How can I block an IP address from going outbound to the Internet? Should I use and access-list, conduit, etc.? Excuse my ignorance.

6 REPLIES 6
Highlighted
Beginner

Hi,

You can use an access-list applied on the inside interface to deny the outbound connection.

Or you can use a shun command for blocking a IP in all directions (pixos 6.0 or later)

Graz.

Highlighted
Beginner

The idea is to use an accesslist to block outgoing trafiic and to bind this accesslist to the inside interface. In the following example I allow users to use their browsers i.e. port 80 but also to browse websites usign SSL (port 443). All other trafic (e.g. telnet, FTP) is blocked.

access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq 443

access-list user_punishment deny ip any any

access-group user_punishment in interface inside

The 3rd item in the accesslist is not needed but it help understanding the proccess.

Best regards

Goran

Highlighted

Thanks for the help. I didn't create the access-group to bind the list to an interface.

One more question ... in your example, when I create the access-group does that only bind acl user_punishment to the inside interface or does it bind all acls to that interface?

Highlighted

Much easy than build an access or conduit, is using the command icmp. You can try this.

icmp deny host a.b.c.d interface <--- this can be inside or outside

Bye.

Highlighted

Wouldn't that just prevent ICMP echo-replys from that PIX interface?

try access-l acl_in deny ip host a.b.c.d any

access-l acl_in permit ip any any

access-g acl_in in interface inside

Highlighted

I trust it only binds that particular ACL to the interface.

- Goran