Firewalls - outbound

outbound

Create an access list for controlling Internet use. (Configuration mode.)

outbound list_ID permit | deny ip_address [netmask [port[-port]] [protocol]
outbound list_ID except ip_address [netmask [port[-port]] [protocol]
clear outbound
no outbound [list_ID permit | deny ip_address [netmask [port[-port]] [protocol]]
no outbound [list_ID except ip_address [netmask [port[-port]] [protocol]]
show outbound
apply [(if_name)] list_ID outgoing_src | outgoing_dest
clear apply
no apply [[(if_name)] list_ID outgoing_src | outgoing_dest]
show apply [(if_name)] [list_ID outgoing_src | outgoing_dest]

Syntax Description

outbound The outbound command, in conjunction with the apply command, uses access lists to control a filtering function on outgoing packets from the firewall. The filters can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules.
The use of an outbound command requires use of the apply command. The apply command allows you to specify whether the access control list applies to inside users' ability to start outbound connections with the apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.
For more information, see "Outbound List Rules" and the access-list command. The outbound command has been superseded by the access-list command.

list_ID A tag number for the access list. The access list number you use must be the same for the apply and outbound commands. This value must be a positive number from 1 to 1599. This number can be the same as what you use with the nat and global commands. This number is just an arbitrary number that groups outbound command statements to an apply command statement. List_IDs are processed sequentially in descending order.

no outbound Removes a single outbound command statement from the configuration.

clear outbound Removes all outbound command statements from the configuration.

show outbound Displays the outbound command statements in the configuration.

permit Allow the access list to access the specified IP address and port.

deny Deny the access list access to the specified IP address and port.

except Create an exception to a previous outbound command. An except command statement applies to permit or deny command statements only with the same access list ID.
When used with apply outgoing_src, the IP address of an except command statement applies to the destination address.
When used with apply outgoing_dest, the IP address of an except command statement applies to the source address.

ip_address The IP address for this access list entry. Do not specify a range of addresses. The 0.0.0.0 ip_address can be abbreviated as 0.

netmask The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire Class C address. 0.0.0.0 indicates all access. The 0.0.0.0 netmask can be abbreviated as 0.

Port A port or range of ports that the access list is permitted or denied access to.

protocol Limit outbound access to udp, tcp, or icmp protocols. If a protocol is not specified, the default is tcp.

if_name The network interface originating the connection.

outgoing_src Deny or permit an internal IP address the ability to start outbound connections using the service(s) specified in the outbound command.

outgoing_dest Deny or permit access to an external IP address using the service(s) specified in the outbound command.

apply Specifies whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.

noapply Removes a single apply command statement from the configuration.

clear apply Removes all the apply command statements from the configuration. The show apply command displays the apply command statements in the configuration.

show apply Displays the apply command statements in the configuration.

Usage Guidelines

The outbound command creates an access list that allows you to specify the following:

Whether inside users can create outbound connections
Whether inside users can access specific outside servers
What services inside users can use for outbound connections and for accessing outside servers
Whether outbound connections can execute Java applets on the inside network

Outbound lists are filters on outgoing packets from the firewall. The filter can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules. The use of an outbound command requires use of the apply command. The apply command allows you to specify whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.
The outbound command has been superseded by the access-list command. We recommend that you migrate the outbound command statements to access-list command statements to maintain future compatibility.
After adding, removing, or changing outbound command statements, use the clear xlate command.
Use the no outbound command to remove a single outbound command statement from the configuration. Use the clear outbound command to remove all outbound command statements from the configuration. The show outbound command displays the outbound command statements in the configuration.
Use the no apply command to remove a single apply command statement from the configuration. Use the clear apply command statement to remove all the apply command statements from the configuration. The show apply command displays the apply command statements in the configuration.

Outbound List Rules

Rules, written as outbound list_ID command statements are global to the firewall, they are activated by apply list_ID outgoing_src | outgoing_dest command statements. When applied to outgoing_src, the source IP address, the destination port">port, and protocol are filtered. When applied to outgoing_dest, the destination IP address, port, and protocol are filtered.
The outgoing_src option and outgoing_dest outbound lists are filtered independently. If any one of the filters contain the deny option, the outbound packet is denied. When multiple rules are used to filter the same packet, the best matched rule takes effect. The best match is based on the IP address mask and the port range check. More strict IP address masks and smaller port ranges are considered a better match. If there is a tie, a permit option overrides a deny option.
Rules are grouped by a list_ID. Within each list_ID, except rules (that is, outbound n except ) can be set. The except option reverses the best matched rule of deny or permit. In addition, firewall filters the specified IP address and mask in the rule for the destination IP address of the outbound packet if the list is applied to the outbound_src. Alternatively, firewall filters the source IP address if the list is applied to the outgoing_dest. Furthermore, the except rules only apply to rules with the same list_ID. A single except rule within a list_ID without another permit or deny rule has no effect. If multiple except rules are set, the best match is checked for which except to apply.
The outbound command rules are now sorted by the best match checking. Use the show outbound command to see how the best match is judged by the firewall.
If outbound commands are not specified, the default behavior is to permit all outbound traffic and services from inside hosts.
After adding, changing, or removing an outbound and apply command statement group, use the clear xlate command to make the IP addresses available in the translation table.
The outbound commands are processed linearly within a list_ID. In addition, list_IDs are processed sequentially in descending order. For example, the first command statement you specify in an outbound list is processed first, then the next outbound command statement in that list, and so on. Similarly, list_ID 10 is processed before list_ID 20, and so on.
When using outbound commands, it is often helpful to deny or permit access to the many before you deny or permit access to the specific. Start with an interface-wide specification such as the following command that denies all hosts from starting connections.

outbound 1 deny 0 0 0
apply (inside) 1 outgoing_src

Then add command statements that permit or deny hosts access to specific ports, for example:

outbound 1 deny 0 0 0
outbound 1 permit 10.1.1.1 255.255.255.255 23 tcp
outbound 1 permit 10.1.1.1 255.255.255.255 80 tcp
apply (inside) 1 outgoing_src

You could state this same example as follows with the except option.

outbound 1 deny 0 0 0
outbound 1 except 209.165.201.11 255.255.255.255 23 tcp
outbound 1 except 209.165.201.11 255.255.255.255 80 tcp
apply (inside) 1 outgoing_src

In the preceding outbound except command statement, IP address 209.165.201.11 is the destination IP address, not the source address. This means that everyone is denied outbound access, except those users going to 209.165.201.11 via Telnet (port 23) or HTTP (port 80).
If you permit access to port 80 (http), this also permits Java applets to be downloaded.
You must have a specific deny command statement to block Java applets.
The maximum number of outbound list entries in a configuration is 1599.
Outbound lists have no effect on access-list command statement groups.
The use of the access-group command statement overrides the conduit and outbound command statements for the specified interface name.

Examples

Set inside hosts so that they can only see and telnet to perimeter hosts.
outbound 9 deny 0.0.0.0 0.0.0.0 0 0
outbound 9 except 209.165.201.0 255.255.255.224 23 tcp

Set inside hosts so that they can do DNS lookups.

outbound 9 except 0.0.0.0 0.0.0.0 53 udp

The next outbound group in this same example lets hosts 10.1.1.11 and 10.1.1.12 go anywhere:
outbound 11 deny 0.0.0.0 0.0.0.0 0 0
outbound 11 permit 10.1.1.11 255.255.255.255 0 0
outbound 11 permit 10.1.1.12 255.255.255.255 0 0
outbound 11 permit 0.0.0.0 0.0.0.0 21 tcp
outbound 11 permit 10.3.3.3 255.255.255.255 143 tcp

This last outbound group in this same example lets hosts on the perimeter only access TCP ports 389 and 30303 and UDP port 53 (DNS). Finally, the apply command statements set the outbound groups so that the permit and deny rules affect access to all external addresses.

outbound 13 deny 0.0.0.0 0.0.0.0 0 0
outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp
outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp
outbound 13 permit 0.0.0.0 0.0.0.0 53 udp

apply (inside) 9 outgoing_src
apply (inside) 11 outgoing_src
apply (perim) 13 outgoing_src

The following example prevents all inside hosts from starting outbound connections:

outbound 1 deny 0 0 0
apply (inside) 1 outgoing_src

The 0 0 0 at the end of the command means all IP addresses (0 is the same as 0.0.0.0), with a 0.0.0.0 subnet mask and for all services (port value is zero).
Conversely, the following example permits all inside hosts to start connections to the outside (this is the default if an access list is not created):

outbound 1 permit 0 0 0
apply (inside) 1 outgoing_src

Controlling Inside Hosts' Access to Outbound Services
The following example prevents inside host 192.168.1.49 from accessing the World Wide Web
(port 80):

outbound 11 deny 192.168.1.49 255.255.255.255 80 tcp
apply (inside) 11 outgoing_src

Controlling Inside Hosts' Access to Outside Servers
If the employees are spending too much time examining GIF images on a particular website with two web servers, you can use the following example to restrict this access:

outbound 12 deny 192.168.146.201 255.255.255.255 80 tcp
outbound 12 deny 192.168.146.202 255.255.255.255 80 tcp
apply (inside) 12 outgoing_dest

Using except Command Statements
An except command statement only provides exception to items with the same list_ID. Consider the following example.

outbound 9 deny 0.0.0.0 0.0.0.0 0 0
outbound 9 except 10.100.0.0 255.255.0.0 23 tcp
outbound 9 except 0.0.0.0 0.0.0.0 53 udp
outbound 11 deny 0.0.0.0 0.0.0.0 0 0
outbound 11 permit 10.1.1.11 255.255.255.255 0 0
outbound 11 permit 10.1.1.12 255.255.255.255 0 0
outbound 11 permit 0.0.0.0 0.0.0.0 21 tcp
outbound 11 permit 10.3.3.3 255.255.255.255 143 tcp
outbound 13 deny 0.0.0.0 0.0.0.0 0 0
outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp
outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp
outbound 13 permit 0.0.0.0 0.0.0.0 53 udp

In the preceding examples, the following two command statements work against other command statements in list 9 but not in lists 11 and 13:
outbound 9 except 10.100.0.0 255.255.0.0 23 tcp outbound 9 except 0.0.0.0 0.0.0.0 53 udp

In the following example, the set of deny, permit, and except option command statements denies everybody from connecting to external hosts except for DNS queries and Telnet connections to hosts on 10.100.0.0. The host with IP address 10.1.1.11 is permitted outbound access, and has access to everywhere except to 10.100.0.0 via Telnet and anywhere to use DNS.

outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp
outbound 1 permit 10.1.1.11 255.255.255.255 0 tcp
outbound 1 except 10.100.0.0 255.255.0.0 23 tcp
outbound 1 except 0.0.0.0 0.0.0.0 53 udp
apply (inside) outgoing_src

outbound	The outbound command, in conjunction with the apply command, uses access lists to control a filtering function on outgoing packets from the firewall. The filters can be based on the source IP address, the destination IP address, and the destination port/protocol as specified by the rules. The use of an outbound command requires use of the apply command. The apply command allows you to specify whether the access control list applies to inside users' ability to start outbound connections with the apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option. For more information, see "Outbound List Rules" and the access-list command. The outbound command has been superseded by the access-list command.
list_ID	A tag number for the access list. The access list number you use must be the same for the apply and outbound commands. This value must be a positive number from 1 to 1599. This number can be the same as what you use with the nat and global commands. This number is just an arbitrary number that groups outbound command statements to an apply command statement. List_IDs are processed sequentially in descending order.
no outbound	Removes a single outbound command statement from the configuration.
clear outbound	Removes all outbound command statements from the configuration.
show outbound	Displays the outbound command statements in the configuration.
permit	Allow the access list to access the specified IP address and port.
deny	Deny the access list access to the specified IP address and port.
except	Create an exception to a previous outbound command. An except command statement applies to permit or deny command statements only with the same access list ID. When used with apply outgoing_src, the IP address of an except command statement applies to the destination address. When used with apply outgoing_dest, the IP address of an except command statement applies to the source address.
ip_address	The IP address for this access list entry. Do not specify a range of addresses. The 0.0.0.0 ip_address can be abbreviated as 0.
netmask	The network mask for comparing with the IP address; 255.255.255.0 causes the access list to apply to an entire Class C address. 0.0.0.0 indicates all access. The 0.0.0.0 netmask can be abbreviated as 0.
Port	A port or range of ports that the access list is permitted or denied access to.
protocol	Limit outbound access to udp, tcp, or icmp protocols. If a protocol is not specified, the default is tcp.
if_name	The network interface originating the connection.
outgoing_src	Deny or permit an internal IP address the ability to start outbound connections using the service(s) specified in the outbound command.
outgoing_dest	Deny or permit access to an external IP address using the service(s) specified in the outbound command.
apply	Specifies whether the access control list applies to inside users' ability to start outbound connections with apply command's outgoing_src option, or whether the access list applies to inside users' ability to access servers on the outside network with the apply command's outgoing_dest option.
noapply	Removes a single apply command statement from the configuration.
clear apply	Removes all the apply command statements from the configuration. The show apply command displays the apply command statements in the configuration.
show apply	Displays the apply command statements in the configuration.