Re: Blocking direct access to Internet via IP ranges

tanhs · ‎10-19-2006

Hi,

I would like do as per above-mentioned.

My network diagram as follow.

--DMZ--10.0.x.x

internet---PIX515--|

INSIDE

|

(PCs IP Ranges 172.24.66.xxx -

172.24.66.xxx

internal servers,

proxy=172.24.66.11

mail=172.24.66.10)

Currently the PCs are manually configured to the proxy. They users are able to by pass the proxy if they know the gateway and dns of the ISP.

In order to stop this, I would like to do the following:

1. Any of the PCs in the INSIDE have the IP address range from 172.24.65.xxx - 172.24.66.xxx to have any direct access to Internet, except for a few servers fixed IP, lets say, 172.24.66.10, 172.24.66.11 where dot 10 is mail server and dot 11 is proxy server.

All PCs should be allowed to access only via proxy server.

2. All INSIDE PCs are allowed to access to DMZ servers.

Thank you.

tanhs · ‎10-19-2006

This is my current configuration.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password ******* encrypted

passwd ******* encrypted

hostname ciscopix

domain-name testing.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.0.0.3 webserver

name 172.24.66.11 nmscsrv02

access-list acl_outside permit tcp any host 210.x.x.202 eq www

access-list acl_outside permit tcp any host 210.x.x.202 eq smtp

access-list acl_outside permit tcp 60.52.0.0 255.255.0.0 host 210.x.136.202 eq ssh

access-list acl_outside permit tcp host 220.255.66.217 host 210.x.136.202 eq 7763

access-list acl_dmz permit tcp host webserver host 172.x.66.10 eq imap4

access-list acl_dmz permit ip any any

access-list no_nat permit ip 172.24.66.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

logging timestamp

logging standby

logging console debugging

logging monitor debugging

logging trap warnings

logging facility 21

logging host inside webserver

no logging message 111005

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 210.90.136.202 255.255.255.252

ip address inside 172.24.66.224 255.255.252.0

ip address dmz 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 172.24.0.0 255.255.0.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 172.24.0.0 255.255.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) tcp 210.90.136.202 www webserver www netmask 255.255.255.255 0 0

static (dmz,outside) tcp 210.90.136.202 smtp webserver smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 210.90.136.202 7763 172.24.66.19 ssh netmask 255.255.255.255 0 0

static (dmz,outside) tcp 210.90.136.202 ssh webserver ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp 210.90.136.202 5900 nmscsrv02 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp 210.90.136.202 5905 172.24.66.21 5905 netmask 255.255.255.255 0 0

static (inside,outside) tcp 210.90.136.202 5906 172.24.66.100 5906 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 210.90.136.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.24.66.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 172.24.0.0 255.255.0.0 inside

telnet 172.24.0.0 255.255.0.0 dmz

telnet timeout 60

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

ethiel · ‎10-20-2006

Something like this should get you started. I added comments to describe each line. You can easily allow more hosts to talk to the Internet by copying the line for .10 or .11:

! Allow traffic from Inside to DMZ

access-list acl_inside permit ip 172.24.66.0 255.255.255.0 10.0.0.0 255.255.255.0

! Allow traffic from .10 to Internet

access-list acl_inside permit ip host 172.24.66.10 any

! Allow traffic from .11 to Internet

access-list acl_inside permit ip host 172.24.66.11 any

! All other traffic is denied automatically

! apply access-list to traffic on inside interface

access-group acl_inside in interface inside

-Eric

Please remember to rate all helpful posts.

tanhs · ‎11-01-2006

Tq Eric. I hv rated.

ken.morehouse · ‎10-24-2006

We had a similar configuration need here in that we needed to block all ip addresses, except those that have been registered and authorized. We get billed for all traffic, per ip address, on a monthly basis for off network traffic. We had users that would assign random ip addresses causing the usage billing to be skewed and not knowing where to redirect the bills to.

The simplest arrangement for us was to create a network object group containing ip addresses that are not authorized. We then added an ACE to the ACL for that network to deny all traffic for that object-group. We could have done the reverse and used the group for authorized addresses only, but this is the way we did it. Our ACE is placed at the very beginning of the ACL.