M$ admin stuff should all be udp 137,8,9.
However, Try applying the list on the inside interface (still) but using
outgoing_dest instead of outgoing_src, then add this line somewhere:
outbound 101 except dmz.ip.range dmz.net.mask 0
I think that should then block access to all hosts except for on the ports
mentioned and allow full access to the DMZ range. You're actually denying
access to hosts, but it's still service specific...if that makes sense.
The trouble with your theory is that outbound lists only work on traffic
coming _out_ of the network the interface lives on. The traffic you're
interested in is actually heading _into_ the outside network (ie the
Internet).
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 20 July 2000 3:55 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: PIX deny outbound.
>
>
>
> The problem is that if I set the apply on the inside
> interface, I'm quite
> sure that it will be hard to administer the M$ servers in
> DMZ. (Without a
> lot of config.)
> So, is it possible to set the apply on the outside int. and
> deny inside
> hosts access to _services_?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
