First, If you allow all these ports OUTBOUND, there really is no use in applying an
outbound access list at all. You should allow outbound UDP to your 1st 2nd and 3rd DNS
server ONLY, not the whole world (IF you're even doing external DNS if not disallow it
alltogether).
And the reason you're not getting pings through is because you've denied them with the
blanket deny statement (this supercedes your icmp any any statement). If you want to
allow ICMP traffic you need to add is in your outbound access list. If you plan on
implementing any level of security you need to reduce what you let out to only what is
essential and definately disable ICMP replies.
Oh, and one other thing....you need 'outbound 10 except 0.0.0.0 0 0 443 tcp' as well
cuz everyone is running SSL..
cheers..
>>> Warwick Vele <[EMAIL PROTECTED]> 06/14/00 05:51PM >>>
I am testing outbound access-lists to apply to our PIX and have run into
a small problem.
The test list is as follows:
outbound 10 deny 0.0.0.0 0.0.0.0 0 0
outbound 10 except 0.0.0.0 0.0.0.0 7 tcp
outbound 10 except 0.0.0.0 0.0.0.0 7 udp
outbound 10 except 0.0.0.0 0.0.0.0 20 tcp
outbound 10 except 0.0.0.0 0.0.0.0 21 tcp
outbound 10 except 0.0.0.0 0.0.0.0 23 tcp
outbound 10 except 0.0.0.0 0.0.0.0 25 tcp
outbound 10 except 0.0.0.0 0.0.0.0 25 udp
outbound 10 except 0.0.0.0 0.0.0.0 53 udp
outbound 10 except 0.0.0.0 0.0.0.0 80 tcp
applied with:
apply (inside) 10 outgoing_src
I also have a conduit allowing icmp:
conduit permit icmp any any
The intent is to deny all outbound traffic _except_ those ports stated
above, with a destination of "anywhere". When I apply the list it blocks
PING attempts from the inside to the outside. When I remove the apply
statement it works fine. Is there something that I am leaving out with
my except statements? We are using version 4.3(2).
Thanks,
Warwick
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
