Sorry to sound elementary but I am using pix "classic" and want to block all incoming traffic using port 4444. The IOS ver is old 5.2(6)which uses conduit statments and not ACLS. Can I use command such as conduit deny ip port 4444 any any. Thanks in advance. I wanted to block this port to stop the Blaster worm from proliferation. Again, Thanks.
You can use access-lists on 5.2(6). It is not recommended to use them with conduits on the same interface, but I prefer using acl's than the "outbound" command.
Note that you cannot use port with "ip" - ip has no port nomenclature - tcp and udp do, but icmp and esp don't.
access-list outbound deny tcp any any eq 4444
access-list outbound deny udp any any eq 4444
access-list outbound permit ip any any
There is your acl - 2 commands that block all tcp and udp outbound to port 4444, and a 3rd command that permits everything else
access-group outbound in interface inside
Applies the "outbound" acl we just created to the inside direction of the inside interface - remember, this means that the acl is processed on packets going "in" to the inside interface - into the pix, and going out, which is exactly what we seek
thanks. I wanted to be sure that port was closed because reportedly the blaster worm used that port. I do understand that it should be closed by default but I wanted to be certain by including a denial statement. Again, Thanks. I used statement "conduit deny tcp any any eq 4444" instead of acls because the router uses conduit statements and I didnt want to mix them with acls. Do you see any possible issues with that?
With a properly configured firewall, setting up specific filters to prevent traffic to "listening ports" like 4444 is unnecessary. A properly configured firewall will have the list of Address/Port combinations defining what traffic is allowed in unsolicited from the outside - all unsolicited traffic not matching that list is dropped. (By "unsolicited" I mean packets that are not part of a data flow initiated from inside your network.) Since the IP address and listening port on the compromised machine will not be in the firewall's list, the exploit packets will not reach it.
If a PC in your network is compromised by a virus that initiates a session out to a hacker machine, it is unlikely that there will be a specific port to block to prevent traffic returning from the hacker. The initiating PC will be able to select randomly from thousands of port numbers for the one it will use to accept the return traffic. That's the normal way TCP and UDP work.
This seems to block the worm but it seems to have caused problems with my VPN. My VPN users can now connect to the network but they can't map any network drives or access anything on the network. Did I type something in wrong?
I am aware of that. Thank you. I needed assistance with blocking a single port with an older IOS using conduit statements. I did understand that the ports were not open unless explicitly given the right but thanks for the additional information.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...