Blocking web access

alexi · ‎09-19-2002

I'm trying to block web access at one of our remote sites that have not been using it for anything kosher. I setup the following extended access-list, and applied to both the in and out of the 1720 eth0:

access-list 150 remark block web traf

access-list 150 deny tcp any any eq

access-list 150 remark allow all othe

access-list 150 permit ip any any

I seem to be missing something as they're still browsing. Any suggestions?

Also, I want to block a particular domain name from being accessible. What is the best syntax to use to do this?

TIA,

Alexi

steve.barlow · ‎09-19-2002

I assume it should read "access-list 150 deny tcp any any eq 80" but it was just cut off. Try "debug ip packet detail 150" and what does it show? And I would only apply it inbound on your lan facing interface (save bandwidth and router processing it).

Let us know.

Steve

alexi · ‎09-19-2002

I actually read:

access-list 150 deny tcp any any eq www

I had it inbound on the ser0 interface, which I thought was the way to go. If it is in on the lan, that means it is coming FROM the lan. Since most web traffic is going to the lan (ie web pages being downloaded), wouldn't out be the way to go for eth0?

Also, what doest the "www" cover in the access list? I could do 80, 81, 443, etc., but I used "www" because I assumed it covered http and https. Is this correct?

TIA,

Alexi

steve.barlow · ‎09-19-2002

If you put it on the lan side (apply it inbound) you block the web request, hence you save your wan side bandwidth (the request and resulting reply that will only get dropped) and the router from processing it.

WWW only covers tcp port 80. If you want to cover HTTPS, add a rule that says 443.

I would make the changes and do a "debug ip packet 150 detail"?

Steve

alexi · ‎09-20-2002

Pure logic...that's what I like. Proper security is reliant upon having the correct perspective. Thanks for your help.

I've done the debug you list. Is this supposed to log to console? I'm not seeing anything, although a show ip access-list 120 (I changed the number) has 2143 matches for the port 80 deny statement.

steve.barlow · ‎09-21-2002

To display the debug message on the console and terminals, use the terminal monitor command:

terminal monitor & terminal no monitor

The terminal monitor command copies debug command output and system error messages to the current terminal as well as to the console terminal.

You also need to disable fast switching on the interface.

Another option other than debug is add "log" to the end of your access-list statement (eg access-list 101 deny tcp host x.x.x.x any eq 80 log), then do a show log. It will show all matches to that acl entry. Put this at the end of the deny 80 and the permit any any to see whats going on.

Is the acl now on the LAN interface inbound? Working? If no paste the whole acl with any show log (after adding log keyword to acl entry) and debugs you gathered and list any other acls on the router.

Hope it helps

Steve

alexi · ‎09-30-2002

We ended up pulling the ACL, because the CPU was hitting 96%, and it caused this location to have problems with other applications due to packets not getting through in a timely manner. Is this normal for a 1720?

What I'm trying to do now is just block access to a specific host from our PIX515, and I've got the following ACL setup:

access-list acl_in deny tcp any host x.x.x.x eq 80

access-list acl_in deny tcp any host x.x.x.x eq 443

access-list acl_in deny tcp any host x.x.x.x eq 25

access-list acl_in deny tcp any host x.x.x.x eq 110

and used access-group acl_in in interface inside

When I do this all outbound access is blocked. If I add the following line to the access-list, we can browse again, but access to the host is not blocked anymore:

access-list acl_in permit any any

I thought the access-list read in order until it finds a match, in which case this should work. Can anyone please shed some light on what I am not doing correctly?

TIA,

Alexi

ccaron · ‎10-02-2002

Use "outbound" access lists instead of what you are trying to do. This works perfectly on a 515, and I use them all over the place at all of my offices. You can first setup what you want to block, and then, setup exceptions to the rule.

See here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cfg.htm#xtocid43

Not sure if this helps or not.

Cheers,

-Chris

alexi · ‎10-02-2002

I tried, but no luck...perhaps I need to remove the conduits for this to work as well?

ccaron · ‎10-03-2002

No, you don't have to remove conduits. I have plenty of conduits.

For example:

config t

outbound 10 deny 10.10.10.0 255.255.255.0 www tcp

apply (inside) 10 outgoing_src

If you don't apply it, it won't take effect.

Another example:

This outbound access allows one host (10.10.10.5) to talk port 80 to host 20.20.20.5 and no one else to talk to host 20.20.20.5 via port 80.

config t

outbound permit 20 10.10.10.5 255.255.255.255 www tcp

outbound deny 20 20.20.20.5 255.255.255.255 www tcp

apply (inside) 20 outgoing_dest

I have this working on 3 different PIX 515's. This worked previously on 5.3(3) and still works on 6.2(1) and 6.2(2) software versions.

These are actual working examples I use in my enviornment.

-Chris