We have been talking about controlling traffic coming into the firewall initiated from the outside. But the PIX can also control traffic heading toward the outside interface. To accomplish this, ACLs or outbound filter commands need to be placed on the higher security interfaces to permit or deny outbound traffic through that interface.
Using ACLs Going Out
Access control lists are the preferred method used by Cisco to control traffic flowing into the PIX. However, you cannot use ACLs on interfaces in the outbound direction as you can on IOS routers. Therefore, if you need to control traffic leaving the outside interface, you must attach the access list to the inside inbound interface, thus blocking the traffic before it gets to the outbound interface.
For example, if you wanted to prevent Jack's computer from reaching the Web site of 169.254.39.39, you would use the commands shown in Listing 6.9.
Listing 6.9 Blocking a Single Destination
Pixfirewall(config)# Access-list stop-jack deny IP host 192.168.1.11 host 169.254.39.39 Pixfirewall(config)# Access-list stop-jack permit IP any any Pixfirewall(config)# Pixfirewall(config)# Access-group stop-jack in interface inside Pixfirewall(config)# Pixfirewall(config)# Clear xlate
To prevent a whole subnet of 192.168.8.0 from accessing the PIX, the commands is Listing 6.10 could be used.
Listing 6.10 Blocking a Subnet
Pixfirewall(config)# Access-list stop-Sub deny IP 192.168.8.0 255.255.255.0 any Pixfirewall(config)# Access-list stop-Sub permit IP any any Pixfirewall(config)# Pixfirewall(config)# Access-group stop-Sub in interface inside Pixfirewall(config)# Pixfirewall(config)# Clear xlate
Filtering Outbound Traffic
The outbound command is an older command that can be used to control traffic from higher security level interfaces to lower security level interfaces. The command is similar to the conduit command, but in the opposite direction. Also similar to the conduit command, it's being replaced by the access-list command. We will list the command only once here just to cover its basics. More information about this old command can be found at Cisco's Web site (www.cisco.com).
These two steps are required to set up an outbound command:
The outbound Command
The command used to create these filters is explained in Table 6.7. Its syntax is as follows :
Pixfirewall(config)# [no] outbound <outbound_id> permitdenyexcept IP_address [<mask> [port[-port]] [<protocol>]]
Table 6.7. outbound Command Options
The apply Command
The second part of the outbound filter is the apply command, which attaches it to an interface. The following is the apply command's syntax:
Pixfirewall(config)# [no] apply [(<if_name>)] <outbound_id> outgoing_srcoutgoing_dest
The Table 6.8 displays all the options for the apply command.
Table 6.8. apply Command Options
Outbound Filter Example
In Listing 6.11, address 192.168.1.11 and address 192.168.1.12 are allowed to pass but all other outbound traffic is denied.
Listing 6.11 apply and outbound Example
Pixfirewall(config)# outbound 1 deny 0.0.0.0 0.0.0.0 0 0 Pixfirewall(config)# outbound 1 permit 192.168.1.11 255.255.255.255 0 0 Pixfirewall(config)# outbound 1 permit 192.168.1.12 255.255.255.255 0 0 apply (inside) 1 outgoing_src_
Note the outbound command doesn't follow the order in which you entered the commands as the ACL does; it actually reorders the entries. This makes it very difficult to get used to and takes proper planning before you use it.