PIX 525 Block HTTP Access to Certain Subnets

Unanswered Question
Feb 16th, 2009

I am having trouble blocking HTTP/HTTPS access to just certain subnets within my network. The following is what I have tried and it doesn't seem to work.


access-list acl_insideint permit tcp object-group Servers object-group WebProtocols any

access-list acl_insideint deny tcp any object-group WebProtocols any

access-list acl_insideint permit ip any any


The Servers group contains the following:

object-group network Servers

description All subnets that contain servers

network-object 172.20.1.0 255.255.255.0

network-object 172.24.0.0 255.255.0.0

network-object 172.22.0.0 255.255.0.0

network-object 172.23.7.0 255.255.255.0

network-object 172.27.1.0 255.255.255.0

network-object 172.26.0.0 255.255.0.0

network-object 172.20.40.0 255.255.255.0


The Web Ports group contains just HTTP and HTTPS.


I put these rules in and then try to browse with 172.20.45.60 and browsing still works....



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
eddie.mitchell@... Mon, 02/16/2009 - 06:10

The 'WebProtocols' group is your service group? If so, you have specified it in the destination address portion of the ACE instead of the destination services portion. I believe the ACL's should read:


access-list acl_insideint permit tcp object-group Servers any object-group WebProtocols

access-list acl_insideint deny tcp any any object-group WebProtocols



I would also strongly recommend removal/revision of the permit ip any any statement at the bottom of the ACL.


Hope this helps.

Actions

This Discussion