PIX 525 Block HTTP Access to Certain Subnets

Unanswered Question
Feb 16th, 2009
User Badges:

I am having trouble blocking HTTP/HTTPS access to just certain subnets within my network. The following is what I have tried and it doesn't seem to work.


access-list acl_insideint permit tcp object-group Servers object-group WebProtocols any

access-list acl_insideint deny tcp any object-group WebProtocols any

access-list acl_insideint permit ip any any


The Servers group contains the following:

object-group network Servers

description All subnets that contain servers

network-object 172.20.1.0 255.255.255.0

network-object 172.24.0.0 255.255.0.0

network-object 172.22.0.0 255.255.0.0

network-object 172.23.7.0 255.255.255.0

network-object 172.27.1.0 255.255.255.0

network-object 172.26.0.0 255.255.0.0

network-object 172.20.40.0 255.255.255.0


The Web Ports group contains just HTTP and HTTPS.


I put these rules in and then try to browse with 172.20.45.60 and browsing still works....



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
eddie.mitchell@... Mon, 02/16/2009 - 06:10
User Badges:
  • Silver, 250 points or more

The 'WebProtocols' group is your service group? If so, you have specified it in the destination address portion of the ACE instead of the destination services portion. I believe the ACL's should read:


access-list acl_insideint permit tcp object-group Servers any object-group WebProtocols

access-list acl_insideint deny tcp any any object-group WebProtocols



I would also strongly recommend removal/revision of the permit ip any any statement at the bottom of the ACL.


Hope this helps.

Actions

This Discussion