Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to block advertisements through PIX firewall

Hi,

We have PIX 520 firewall with 3 NICs. We recieve advertisements on computers in the inside and DMZ network. It uses windows mesenger services and is sent to our network address. It will appear computers randomly. How can we block this?

Please note that we use the following NAT commands to NAT complete network on inside and DMZ.

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

nat (dmz) 1 192.168.11.0 255.255.255.0 0 0

7 REPLIES
Bronze

Re: How to block advertisements through PIX firewall

You can use the filter command option in pix to stop java applets. For all options of filter comamnd, please use the URL given below

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801049b7.html#1039734

Silver

Re: How to block advertisements through PIX firewall

Could you post your whole config minus the password lines? I don't think this problem has anything to do with java blocking

New Member

Re: How to block advertisements through PIX firewall

H, Thanks for the reply.

Please find below the whole config of our PIX firewall;

===========================================

PIX Version 4.2(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

hostname pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol sqlnet 1521

no fixup protocol smtp 25

names

no failover

failover timeout 0:00:00

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pager lines 24

no logging console

no logging monitor

no logging buffered

logging trap warnings

logging facility 20

logging host inside 192.168.2.49

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

ip address outside 196.200.200.196 255.255.255.192

ip address inside 192.168.2.1 255.255.255.0

ip address dmz 192.168.1.1 255.255.255.0

arp timeout 14400

global (outside) 1 196.200.200.225

global (outside) 1 196.200.200.226-196.200.200.246

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

nat (dmz) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) 196.200.200.248 192.168.2.32 netmask 255.255.255.255 0 0

static (inside,outside) 196.200.200.250 192.168.2.36 netmask 255.255.255.255 0 0

static (inside,outside) 196.200.200.251 192.168.2.43 netmask 255.255.255.255 0 0

static (inside,outside) 196.200.200.252 192.168.2.49 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0

static (inside,outside) 196.200.200.247 192.168.2.3 netmask 255.255.255.255 0 0

static (dmz,outside) 196.200.200.197 192.168.1.5 netmask 255.255.255.255 0 0

conduit permit tcp host 196.200.200.247 eq smtp any

conduit permit tcp host 196.200.200.247 eq pop3 any

conduit permit tcp any host 192.168.1.5

conduit permit udp any host 192.168.1.5

conduit permit tcp host 196.200.200.197 eq 443 any

conduit permit tcp host 196.200.200.197 eq www any

conduit permit tcp host 196.200.200.247 eq 443 any

conduit permit tcp host 196.200.200.247 eq www any

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

no rip dmz passive

no rip dmz default

route outside 0.0.0.0 0.0.0.0 196.200.200.193 1

timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

telnet timeout 5

mtu outside 1500

mtu inside 1500

mtu dmz 1500

floodguard 1

=======================================

Silver

Re: How to block advertisements through PIX firewall

You are allowing all TCP and UDP traffic into the x.x.1.5 DMZ host. That explains why that host is getting netbios based popups/

Why do you all all that traffic into that host? Is that DMZ host multihomed into the private network?

Are all the popups identical? I cannot see anything that explains how internal machines would be getting them, unless the DMZ host is multihomed into the inside subnet. Are you sure the inside machines with pop ups aren't getting http based popups?

What program are you using to confirm where they are coming from? netstat -a ?

New Member

Re: How to block advertisements through PIX firewall

Thanks very much for your reply.

You are refering to the following commands, right?

conduit permit tcp any host 192.168.1.5

conduit permit udp any host 192.168.1.5

In fact I am permitting TCP and UDP traffic from 192.168.1.5 to any host, isn't that right? I want to allow TCP and UDP traffic from 192.168.1.5 to the internal network, that's I have used that command. DO you think it is wrong to use that command?

This 192.168.1.5 host is not a multihomed Server. Not only that this server is temporarily down for a month or so. Even then we get the advertisements on PCs(randomly) located in the inside network.

The title bar of the advertisement window displays " Messenger service", I am not sure if it uses http pop ups.

Please reply.

Thanks

Jai

Silver

Re: How to block advertisements through PIX firewall

Thats right, sorry about that. It has been a while since I have worked with conduits.

It is possible that someone could be spoofing the packets with the source address of 129.168.1.5, and thus getting through the firewall.

When you see these popups, does everyone get them at the same time? Or does each user get them randomly?

it
New Member

Re: How to block advertisements through PIX firewall

The SPAM that you are receiving are coming from the Windows Messenger Service (Not to be confused with MSN Messenger), which by default, is turned on on every Windows machine. If you have NT, 2000, or XP you can disable the service. This would require touching every box, though. If you have 95, 98 or ME you cannot turn off Windows Messenging Service.

However, if you wish to block them all together, you need to block inbound UDP traffic on ports 135, 137-139, and 445, all of which can and are used by the Messenger service. While I am not versed enough in PIX firewalling to tell you the commands to block each one, I'm sure that with that knowledge, you or someone else on here can figure it out. Good Luck!

347
Views
0
Helpful
7
Replies
CreatePlease login to create content