|
|
PIX 501 - allow icmp out but deny everything else out
My current config has NO access-lists or access-groups.
Client machines have no internet - expected.
If I add the following lines......
access-list INBOUND permit icmp any any
access-list INBOUND deny tcp any any
access-list INBOUND deny ip any any
access-group INBOUND in interface outside
..... then my client machines suddenly have icmp out (expected), but
they also have http/dns/smtp (ie ALL) out.
What access rules can I add, so that clients have icmp out, but nothing
else?
Thanks
Nick
|
|
0
|
|
|
|
Reply
|
 nicough (11)
|
11/18/2006 6:49:00 AM |
|
In article <1163832540.380667.264290@e3g2000cwe.googlegroups.com>,
<nicough@gmail.com> wrote:
>My current config has NO access-lists or access-groups.
>Client machines have no internet - expected.
>If I add the following lines......
>access-list INBOUND permit icmp any any
>access-list INBOUND deny tcp any any
>access-list INBOUND deny ip any any
>access-group INBOUND in interface outside
tcp is a subset of ip, so the tcp line is redundant.
There is a default deny at the end of every access-list, so all
trailing deny statements are redundant.
>.... then my client machines suddenly have icmp out (expected), but
>they also have http/dns/smtp (ie ALL) out.
>What access rules can I add, so that clients have icmp out, but nothing
>else?
>My current config has NO access-lists or access-groups.
It is relatively tricky to create a restricted VPN without using
at least two access-list . What are your static, nat, and global
commands, and what IP pool are you allocating to your clients?
|
|
|
0
|
|
|
|
Reply
|
 roberson
|
11/18/2006 10:32:02 AM
|
|
<nicough@gmail.com> wrote in message
news:1163832540.380667.264290@e3g2000cwe.googlegroups.com...
> My current config has NO access-lists or access-groups.
> Client machines have no internet - expected.
>
> If I add the following lines......
> access-list INBOUND permit icmp any any
> access-list INBOUND deny tcp any any
> access-list INBOUND deny ip any any
> access-group INBOUND in interface outside
>
> .... then my client machines suddenly have icmp out (expected), but
> they also have http/dns/smtp (ie ALL) out.
>
> What access rules can I add, so that clients have icmp out, but nothing
> else?
>
> Thanks
> Nick
>
The statement above would allow ICMP return from the inside but also you
have a DENY statement that would block anything from coming in, especially
in the order you have stated (remove "access-list INBOUND deny tcp any any"
as it is redundant). I would say that something significant in your
config, that you have not posted is causing Internet Access for the client
machine.
You would need to post your config up here so we can take a better look.
|
|
|
0
|
|
|
|
Reply
|
Rohan
|
11/18/2006 3:44:24 PM
|
|
|
2 Replies
253 Views
(page loaded in 0.001 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
24953 articles. 
24 followers. 