Re: blocking ip addresses and/or ports

ngross · ‎03-26-2002

I want to be able to block my clients from any unwanted ip address and/or ports. I've tried using a "conduit deny" but it didn't work. any ideas?

Hardware:

Pix 506

IOS:

Ver. 5.2

shabib.syed · ‎03-26-2002

you can use

outbound apply command

for e.g denying users to this ip 205.188.245.121 for http

outbound 12 deny 205.188.245.121 255.255.255.255 80 tcp

apply (inside) 12 outgoing_dest

smcgough · ‎03-26-2002

I'm using version 6.1.3 - you can issue

pix(conf)# "shun 123.123.123.123"

this will deny that web address from reaching user.

ddemers · ‎04-05-2002

Here's an example that would only allow your clients to use HTTP and telnet:

access-l acl_in permit tcp any any eq www

access-l acl_in permit tcp any any eq telnet

access-g acl_in in interface inside

The implicit deny will block everything else. I don't recall which IOS version introduced access-list support, so you may have to upgrade. Hope this helps.

g.rodegari · ‎04-08-2002

Hi,

you can configure access-list instead the conduits or, if you use a firmware after a 6.0 you can use

the shunning command.

Bye,

Graz.

ngross · ‎04-08-2002

Thanks for all the input.

What I was trying to accomplish was to be able to shutdown access Morpheus and other internet based applications on our network. It was getting to the point that band width was a minium.

I ended up using the outbound and apply commands to do this. Restricting all connections except some specific ports. The only thing is, I can see this possiblly becoming a management nightmare in the future.

Thanks again

g.rodegari · ‎04-08-2002

hi,

for bloking Morpheus and other kazaa application you must to deny the access at the destination tcp port 1214.

regards,

graz.