Yes, but you might not like it. The best way I have found is through the
use of the outbound and apply commands. The syntax is:
usage: [no] outbound <outbound_id> permit|deny|except <ip>
[<mask> [java|<port>[-<port>] [<protocol>]]]
and
usage: [no] apply [(<if_name>)] <outbound_id> outgoing_src|outgoing_dest
For instance. I have a client that wants to deny all outbound web/ssl
traffic from any host, and force them to use their proxy server. The
commands we used are:
outbound 1 deny 0.0.0.0 0.0.0.0 80 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 443 tcp
outbound 1 except 192.168.0.1 255.255.255.255 80 tcp
outbound 1 except 192.168.0.1 255.255.255.255 80 tcp
apply (inside) 1 outgoing_dest
Remember, in the outbound command, these are full blown ip and masks, and
not wildcard (by wildcard I mean the reverse subnet mask thing that confused
us all at first). But even though they are subnet masks, to specify a
single pc, use the full 32-bit mask.
Let say we want to deny everyone on your 192.168.1.0 subnet access to
outside mail servers, you want YOUR pc (192.168.1.44) to get out on these
ports. ;-) (we never do things like that, do we?) You could accomplish
this by using:
outbound 1 deny 192.168.1.0 255.255.255.0 110 tcp
outbound 1 deny 192.168.1.0 255.255.255.0 25 tcp
outbound 1 except 192.168.1.44 255.255.255.255 110 tcp
outbound 1 except 192.168.1.44 255.255.255.255 25 tcp
apply (inside) 1 outgoing_dest
The only other way is to not use NAT on the interface. Remember to go from
a low security zone to a high static and conduits must be in place, and to
go from High to low, NAT must be used. If it is a global thing, disable
NAT. If it is access to a specific service, outbound and apply will do it.
K
-----
Kristopher B. Climie, CCNP, CCDP
> From: [EMAIL PROTECTED] ("oluwakemi ojo")
> Organization: GroupStudy.com Discussion Groups
> Newsgroups: groupstudy.cisco
> Date: 12 Sep 2000 11:22:00 -0400
> Subject: Pix Access Control
>
> Hi,
>
> Is there commands that will block access on a pix firewall from higher
> security zone(i.e 100) to a low security zone (i.e 0).
>
>
> Regards
>
> Kemi
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
