Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking Outbound Access to Specific Host

We have a PIX 515 and I've setup the following access-list:

access-list acl_in deny tcp any host x.x.x.x eq 80

access-list acl_in deny tcp any host x.x.x.x eq 443

access-list acl_in deny tcp any host x.x.x.x eq 25

access-list acl_in deny tcp any host x.x.x.x eq 110

and used access-group acl_in in interface inside

When I do this all outbound access is blocked. If I add the following line to the access-list, we can browse again, but access to the host is not blocked anymore:

access-list acl_in permit any any

I thought the access-list read in order until it finds a match, in which case this should work. Can anyone please shed some light on what I am not doing correctly?

TIA,

Alexi

11 REPLIES

Re: Blocking Outbound Access to Specific Host

Makes sense you couldn't browse any more, you applied the acl on your inside interface. So, you denied access from anyone ("any") on your inside to destination host x.x.x.x. But then you didn't allow access to anything else. Nothing was allowed through, no permit statements. Then you allowed everything (at the end of the acl I hope), and you can browse. Still makes sense, as users can now go out.

But why did the inside now have access to the host x.x.x.x? Can you put this statement inbetween the denies to host x.x.x.x and the permit any any:

access-list acl_in permit ip any host x.x.x.x log (keyword is log)

Then you can see who and what is accessing the host x.x.x.x (check your syslog or show log). Maybe DNS is involved (ie the IP of the host isn't what you expect - if you connect via IP, disregard that about DNS).

What do your statics, nat, global etc look like?

Let us know.

Steve

New Member

Re: Blocking Outbound Access to Specific Host

At the bottom is an overview of the pix config being used. Let me know if there's anything you notice that might be causing users to be able to access host x.

To confirm what you're saying, I'm going to setup the access-list as follows:

access-list acl_in deny tcp any host 216.234.108.99 (forget ports, I'll just block everything)

access-list acl_in permit ip any host 216.234.108.99 log (doesn't work, not part of the commands...perhaps I need to upgrade the IOS ver?)

access-list acl_in permit ip any any

access-group acl_in in interface inside

In doing a lookup, ping, etc. the IP address I used is the one I put in to the access list.

############CONFIG###############

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXX encrypted

passwd XXXXXXXXXX encrypted

hostname NAME

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in deny tcp any host x.x.x.x eq www

access-list acl_in deny tcp any host x.x.x.x eq 443

access-list acl_in deny tcp any host x.x.x.x eq smtp

access-list acl_in deny tcp any host x.x.x.x eq pop3

access-list acl_in permit ip any any

pager lines 24

logging timestamp

logging console alerts

logging monitor alerts

logging buffered alerts

logging trap critical

logging history critical

logging host inside x.z.z.z

no logging message 106007

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.z.z.z 255.255.255.224

ip address inside x.z.z.z 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:03:00

failover poll 15

failover ip address outside x.z.z.z

failover ip address inside x.z.z.z

pdm history enable

arp timeout 14400

global (outside) 1 x.z.z.z netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.z.z.z x.z.z.z netmask 255.255.255.255 0 0

static (inside,outside) x.z.z.z x.z.z.z netmask 255.255.255.255 0 0

access-group acl_in in interface inside

conduit permit icmp any any

conduit permit tcp host x.z.z.z.90.100 eq www any

conduit permit tcp host x.z.z.z.90.100 eq smtp any

conduit permit tcp host x.z.z.z.90.100 eq pop3 any

conduit permit tcp host x.z.z.z.90.100 eq ftp any

conduit permit tcp host x.z.z.z.90.105 eq www any

conduit permit tcp host x.z.z.z.90.105 eq smtp any

conduit permit tcp host x.z.z.z.90.105 eq pop3 any

conduit permit tcp host x.z.z.z.90.105 eq ftp any

route outside 0.0.0.0 0.0.0.0 x.z.z.z 1

route inside x.z.z.0 255.255.255.0 x.z.z.z 1

route inside x.z.z.a 255.255.255.0 x.z.z.z 1

route inside x.z.z.b 255.255.255.0 x.z.z.y 1

route inside x.z.z.c 255.255.255.0 x.z.z.z 1

route inside x.z.z.d 255.255.255.0 x.z.z.z 1

route inside x.z.z.e 255.255.255.0 x.z.z.z 1

route inside x.z.z.f 255.255.255.0 x.z.z.z 1

route inside x.z.z.g 255.255.255.0 x.z.z.z 1

route inside x.z.z.h 255.255.255.0 x.z.z.z 1

route inside x.z.z.i 255.255.255.0 x.z.z.z 1

route inside x.z.z.j 255.255.255.0 x.z.z.z 1

route inside x.z.z.k 255.255.255.0 x.z.z.z 1

route inside x.z.z.l 255.255.255.0 x.z.z.z 1

route inside x.z.z.m 255.255.255.0 x.z.z.z 1

route inside x.z.z.n 255.255.255.0 x.z.z.z 1

route inside x.z.z.o 255.255.255.0 x.z.z.z 1

route inside x.z.z.p 255.255.255.0 x.z.z.z 1

route inside x.z.z.q 255.255.255.0 x.z.z.z 1

route inside x.z.z.r 255.255.255.0 x.z.z.z 1

route inside x.z.z.s 255.255.255.0 x.z.z.z 1

route inside x.z.z.t 255.255.255.0 x.z.z.z 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

snmp-server host inside x.z.z.z

no snmp-server location

no snmp-server contact

snmp-server community private

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet x.z.z.x 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx

New Member

Re: Blocking Outbound Access to Specific Host

Do not use access-lists and conduits in the same config. This is not recommended by cisco. Maybe this is your problem. Just translate all your conduits into ACLs.

Next hint: Enalbe logging informational to your syslog server and find out which access was permitted or denied by your ACL. You don't need to put the log keyword at the end of the ACL-entries. The log keyword is only necessary on IOS-Systems.

When you did both, you have to know what is going through your PIX.

Regards Norbert

New Member

Re: Blocking Outbound Access to Specific Host

So to translate the conduits below:

conduit permit icmp any any

conduit permit tcp host x.z.z.z.90.100 eq www any

conduit permit tcp host x.z.z.z.90.100 eq smtp any

conduit permit tcp host x.z.z.z.90.100 eq pop3 any

conduit permit tcp host x.z.z.z.90.100 eq ftp any

conduit permit tcp host x.z.z.z.90.105 eq www any

conduit permit tcp host x.z.z.z.90.105 eq smtp any

conduit permit tcp host x.z.z.z.90.105 eq pop3 any

conduit permit tcp host x.z.z.z.90.105 eq ftp any

Would be:

access-list old_conduit permit icmp any any

access-list old_conduit permit tcp host x.z.z.z.90.100 eq www any

access-list old_conduit permit tcp host x.z.z.z.90.100 eq smtp any

Am I on the right track?

TIA,

Alexi

Re: Blocking Outbound Access to Specific Host

Actually in a general acl/conduit conversion:

static (inside,outside) 209.165.201.5 192.168.1.5 netmask 255.255.255.255

conduit permit tcp host 209.165.201.5 eq www any

becomes

access-list acl_out permit tcp any host 209.165.201.5 eq www

So in your example it would be:

access-list old_conduit permit icmp any any

access-list old_conduit permit tcp any host x.z.z.z.90.100 eq www

access-list old_conduit permit tcp any host x.z.z.z.90.100 eq smtp

Steve

New Member

Re: Blocking Outbound Access to Specific Host

And then I apply this to the outside interface coming in I would assume?

Re: Blocking Outbound Access to Specific Host

Correct. Use the command: "access-group old_conduit in interface outside"

Steve

New Member

Re: Blocking Outbound Access to Specific Host

Have you tried 'clear xlate' after changing the ACL?

-- Rubio

bz
New Member

Re: Blocking Outbound Access to Specific Host

Hi,

It's okay to use both acccess-list and conduit...although it's not recommended. I don't think that's the cause of your problem though.

Let me try to understand what you are trying to do, you want to blocked your internal users from accessing one particular host, lets say 1.1.1.1 on port 80, 443, 25, and 110. So you added the following commands to your pix...

access-list acl_in deny tcp any host 1.1.1.1 eq 80

access-list acl_in deny tcp any host 1.1.1.1 eq 443

access-list acl_in deny tcp any host 1.1.1.1 eq 25

access-list acl_in deny tcp any host 1.1.1.1 eq 110

access-group acl_in in interface inside

But after doing so, your internal users no longer able to browse the Internet or whatsoever...which is normal, since there's an implicit access list:

access-list acl_in deny any any

So, after that you enter another access list into your config.

access-list acl_in permit ip any any

Now, you say users can browse the Internet but access to host 1.1.1.1 is no longer blocked...am I on the right track?

My suggestion to you is to do a show access-list and make sure the order is somewhat like this:

access-list acl_in deny tcp any host 1.1.1.1 eq 80

access-list acl_in deny tcp any host 1.1.1.1 eq 443

access-list acl_in deny tcp any host 1.1.1.1 eq 25

access-list acl_in deny tcp any host 1.1.1.1 eq 110

access-list acl_in permit ip any any

New Member

Re: Blocking Outbound Access to Specific Host

You are on the right track. I did check the list and the order is correct, but still does not block access to the site.

New Member

Re: Blocking Outbound Access to Specific Host

I'd like to use this thread and pose a small question on this subject.

I am also using the access-lists discussed in this thread to block my inside users to access to a specific site/port as well. The solution suggested here works ok. The problem is that each time an access is blocked there is a log in the syslog. I am not interested to see logs of these blocks (it is cluttering my syslog and I am not able to see the the logs that I am really interested to see).

If this was a router with Cisco IOS then specifying (or actually NOT specifying) the "log" option at the end of the access-list definition would have sufficed. But on a PIX there is no "log" option for the access-lists. It logs everything :-(

So, my question is: Is it possible to suppress the log of a successfully executed access-list and blocked traffic?

Thanks in advance,

Izak

176
Views
0
Helpful
11
Replies
CreatePlease login to create content