Implicit deny all on outgoing traffic

rate · ‎08-19-2005

Hi,

I've recently set up a PIX - just the basic stuff. Now, for security reasons I want all traffic from the inside going out to be denied, so that I can add a couple of rules later just allowing HTTP and FTP.

How is this possible? The moment I remove the default "allow all" rule all traffic is denied whther or not I make the "allow http/ftp" rules.

I should probably mention that I'm fairly new to PIX's and I'm doing this configuration from the ASDM on version 7.0 of a Pix515.

Hope someone can help me out - thanks in advance!

Rasmus

sachinraja · ‎08-19-2005

Hello Rasmus,

By default all traffic from inside to outside is allowed. This is with regards to the Adaptive security algorithm that the PIX uses.

If you have to deny any traffic from inside to outside, you need to give an access-list on the inside,

access-list inside deny ip any any

access-group inside in interface inside

Later you can add up permit statements on the Top of the deny ip any any, and permit the IP addresses.

Hope this helps.. rate replies if found useful.

Raj

rate · ‎08-19-2005

Hi Raj,

Thanks for your prompt reply. The only thing is, that what you describe is exactly what I've been trying to do. Of cause I did it in the ASDM, but that shouldn't make a difference I guess? This is very weird.

rsmith · ‎08-19-2005

If I could add to what Raj has said above, since all access-lists are read from the top down, if your "deny all" statement is at the top, it will not see the "allow" statements. You need to be sure your "allow" statements are inserted ABOVE the "deny all" statement.

From CLI:

access-list (acl-name) line 1 extended permit (protocol) (source) (destination)

The "line 1" will insert this line above the deny line. I am not sure of the equivelant in ADSM.

EPHRAIM MANI · ‎10-15-2005

Dear Raj,

I have to disable all the ICMP traffic on outside interface excepto for few of our public network.

Can suggest some specific command for the same.

EM