Controlling Traffic Going Out

We have been talking about controlling traffic coming into the firewall initiated from the outside. But the PIX can also control traffic heading toward the outside interface. To accomplish this, ACLs or outbound filter commands need to be placed on the higher security interfaces to permit or deny outbound traffic through that interface.

Using ACLs Going Out

Access control lists are the preferred method used by Cisco to control traffic flowing into the PIX. However, you cannot use ACLs on interfaces in the outbound direction as you can on IOS routers. Therefore, if you need to control traffic leaving the outside interface, you must attach the access list to the inside inbound interface, thus blocking the traffic before it gets to the outbound interface.

For example, if you wanted to prevent Jack's computer from reaching the Web site of 169.254.39.39, you would use the commands shown in Listing 6.9.

Listing 6.9 Blocking a Single Destination

 Pixfirewall(config)# Access-list stop-jack deny IP host 192.168.1.11 host 169.254.39.39 Pixfirewall(config)# Access-list stop-jack permit IP any any Pixfirewall(config)# Pixfirewall(config)# Access-group stop-jack in interface inside Pixfirewall(config)# Pixfirewall(config)# Clear xlate 

To prevent a whole subnet of 192.168.8.0 from accessing the PIX, the commands is Listing 6.10 could be used.

Listing 6.10 Blocking a Subnet

 Pixfirewall(config)# Access-list stop-Sub deny IP 192.168.8.0 255.255.255.0 any Pixfirewall(config)# Access-list stop-Sub permit IP any any Pixfirewall(config)# Pixfirewall(config)# Access-group stop-Sub in interface inside Pixfirewall(config)# Pixfirewall(config)# Clear xlate 

Use access lists on the inside interface to prevent traffic from traveling across the PIX in the outbound direction.

Filtering Outbound Traffic

The outbound command is an older command that can be used to control traffic from higher security level interfaces to lower security level interfaces. The command is similar to the conduit command, but in the opposite direction. Also similar to the conduit command, it's being replaced by the access-list command. We will list the command only once here just to cover its basics. More information about this old command can be found at Cisco's Web site (www.cisco.com).

These two steps are required to set up an outbound command:

1. Create the outbound filter.

2. Attach the outbound filter to an interface.

The outbound Command

The command used to create these filters is explained in Table 6.7. Its syntax is as follows :

 Pixfirewall(config)# [no] outbound <outbound_id> permitdenyexcept     IP_address [<mask> [port[-port]] [<protocol>]] 

Table 6.7. outbound Command Options

The apply Command

The second part of the outbound filter is the apply command, which attaches it to an interface. The following is the apply command's syntax:

 Pixfirewall(config)# [no] apply [(<if_name>)] <outbound_id> outgoing_srcoutgoing_dest 

The Table 6.8 displays all the options for the apply command.

Table 6.8. apply Command Options

Outbound Filter Example

In Listing 6.11, address 192.168.1.11 and address 192.168.1.12 are allowed to pass but all other outbound traffic is denied.

Listing 6.11 apply and outbound Example

 Pixfirewall(config)# outbound 1 deny 0.0.0.0 0.0.0.0 0 0 Pixfirewall(config)# outbound 1 permit 192.168.1.11 255.255.255.255 0 0 Pixfirewall(config)# outbound 1 permit 192.168.1.12 255.255.255.255 0 0 apply (inside) 1 outgoing_src_ 

Note the outbound command doesn't follow the order in which you entered the commands as the ACL does; it actually reorders the entries. This makes it very difficult to get used to and takes proper planning before you use it.