09-19-2002 01:55 PM - edited 03-09-2019 12:23 AM
I'm trying to block web access at one of our remote sites that have not been using it for anything kosher. I setup the following extended access-list, and applied to both the in and out of the 1720 eth0:
access-list 150 remark block web traf
access-list 150 deny tcp any any eq
access-list 150 remark allow all othe
access-list 150 permit ip any any
I seem to be missing something as they're still browsing. Any suggestions?
Also, I want to block a particular domain name from being accessible. What is the best syntax to use to do this?
TIA,
Alexi
09-19-2002 03:41 PM
I assume it should read "access-list 150 deny tcp any any eq 80" but it was just cut off. Try "debug ip packet detail 150" and what does it show? And I would only apply it inbound on your lan facing interface (save bandwidth and router processing it).
Let us know.
Steve
09-19-2002 03:55 PM
I actually read:
access-list 150 deny tcp any any eq www
I had it inbound on the ser0 interface, which I thought was the way to go. If it is in on the lan, that means it is coming FROM the lan. Since most web traffic is going to the lan (ie web pages being downloaded), wouldn't out be the way to go for eth0?
Also, what doest the "www" cover in the access list? I could do 80, 81, 443, etc., but I used "www" because I assumed it covered http and https. Is this correct?
TIA,
Alexi
09-19-2002 04:09 PM
If you put it on the lan side (apply it inbound) you block the web request, hence you save your wan side bandwidth (the request and resulting reply that will only get dropped) and the router from processing it.
WWW only covers tcp port 80. If you want to cover HTTPS, add a rule that says 443.
I would make the changes and do a "debug ip packet 150 detail"?
Steve
09-20-2002 07:15 AM
Pure logic...that's what I like. Proper security is reliant upon having the correct perspective. Thanks for your help.
I've done the debug you list. Is this supposed to log to console? I'm not seeing anything, although a show ip access-list 120 (I changed the number) has 2143 matches for the port 80 deny statement.
09-21-2002 04:20 PM
To display the debug message on the console and terminals, use the terminal monitor command:
terminal monitor & terminal no monitor
The terminal monitor command copies debug command output and system error messages to the current terminal as well as to the console terminal.
You also need to disable fast switching on the interface.
Another option other than debug is add "log" to the end of your access-list statement (eg access-list 101 deny tcp host x.x.x.x any eq 80 log), then do a show log. It will show all matches to that acl entry. Put this at the end of the deny 80 and the permit any any to see whats going on.
Is the acl now on the LAN interface inbound? Working? If no paste the whole acl with any show log (after adding log keyword to acl entry) and debugs you gathered and list any other acls on the router.
Hope it helps
Steve
09-30-2002 12:41 PM
We ended up pulling the ACL, because the CPU was hitting 96%, and it caused this location to have problems with other applications due to packets not getting through in a timely manner. Is this normal for a 1720?
What I'm trying to do now is just block access to a specific host from our PIX515, and I've got the following ACL setup:
access-list acl_in deny tcp any host x.x.x.x eq 80
access-list acl_in deny tcp any host x.x.x.x eq 443
access-list acl_in deny tcp any host x.x.x.x eq 25
access-list acl_in deny tcp any host x.x.x.x eq 110
and used access-group acl_in in interface inside
When I do this all outbound access is blocked. If I add the following line to the access-list, we can browse again, but access to the host is not blocked anymore:
access-list acl_in permit any any
I thought the access-list read in order until it finds a match, in which case this should work. Can anyone please shed some light on what I am not doing correctly?
TIA,
Alexi
10-02-2002 11:01 AM
Use "outbound" access lists instead of what you are trying to do. This works perfectly on a 515, and I use them all over the place at all of my offices. You can first setup what you want to block, and then, setup exceptions to the rule.
See here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43cfg/pix43cfg.htm#xtocid43
Not sure if this helps or not.
Cheers,
-Chris
10-02-2002 03:23 PM
I tried, but no luck...perhaps I need to remove the conduits for this to work as well?
10-03-2002 12:39 PM
No, you don't have to remove conduits. I have plenty of conduits.
For example:
config t
outbound 10 deny 10.10.10.0 255.255.255.0 www tcp
apply (inside) 10 outgoing_src
If you don't apply it, it won't take effect.
Another example:
This outbound access allows one host (10.10.10.5) to talk port 80 to host 20.20.20.5 and no one else to talk to host 20.20.20.5 via port 80.
config t
outbound permit 20 10.10.10.5 255.255.255.255 www tcp
outbound deny 20 20.20.20.5 255.255.255.255 www tcp
apply (inside) 20 outgoing_dest
I have this working on 3 different PIX 515's. This worked previously on 5.3(3) and still works on 6.2(1) and 6.2(2) software versions.
These are actual working examples I use in my enviornment.
-Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: