Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Think I have an intruder

I keep seeing an outside(internet) ip address on my inside proxy server. I have the proxy server setup to only accept my inside(dummy) addresses but saomehow this one ip address keeps showing up on my active users list. The stupid proxy server software has no way to ban an ip addresss that I can find. I really do not have a clue what's going on but I would like to figure out a way to ban or deny access thru the PIX for this ip address. So I guess my question is, is it just as simple as adding an access-list statement to deny the ip or is there something else I need to do? I have been trying to add an access-list but it will not accpet what I am typing in. Can anyone tell me exactly what I need to do to totally deny access from a certain ip from coming in thru the PIX? Thanks in advance!

D

7 REPLIES

Re: Think I have an intruder

Hi,

by default all inbound access through the pix is blocked. So there already has to be an allowing access-list in place. It is indeed just as simple as adding an extra line to the access-list to block the traffic.

Keep in mind the an access-list is processed from top to down. So you may have to remove the access-list and then recreate the access-list again with your new line at the right possition.

This access-list is applied to an interface with the 'access-group' command. This command should also be in place already since inbound traffic from the foreign address is allowed.

If you have any more questions, don't hesitate to post them.

Kind Regards,

Tom

New Member

Re: Think I have an intruder

I didn't set this thing up. An "expert" was payed to come in and set this it up but he never got it working before he left. I had to finish setting it up but I may have missed some important settings like this since I have no idea what I'm doing.

So here is what my config shows now as far as access-lists...........

---access-list acl_out permit ip any any

---access-list acl_out permit icmp any any

---access-list acl_in permit icmp any any

---access-list acl_in ip permit any any

Then further down in my config is this line.....

---access-group acl_out in interface outside

So can you tell me what this does and what I should do to make it more secure or at least be able to block this one IP address?? Thanks much!

New Member

Re: Think I have an intruder

Going by your access list, it clearly states that you're allowing everything from outside. Change your access list from permit ip any any to the specific traffic needs to be permitted. If you don't have any idea of what type of traffic to permit, log all the traffic to sys log server for a week leaving the current pix setting as it is. Log file build over the period of week should give you an idea as to what kind of traffic to be permitted.

Desh

Re: Think I have an intruder

Hi,

with the above command in place, you have NO SECURITY at all.

For the moment everyone from the internet is allowed to you internal network.

Is you don't need inbound traffic originating from the internet towards your internal lan, then please remove the 'access-group' command as soon as possible. This is the command you have to issue for this:

no access-group acl_out in interface outside

If you need further help, don't hesitate to post your questions.

Kind Regards,

Tom

New Member

Re: Think I have an intruder

hi...

my i ask about blocking the msn, instant massenger, or mp3 download from inside. my 515 configuration is :

PIX Version 5.3(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password 0iIXp.lkzLvk75q1 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname MetroTV-PIX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

name X.X.X.X ns1

name X.X.X.X proxy

name X.X.X.X domino

name X.X.X.X mail

name X.X.X.X www

access-list acl_in permit ip any any

access-list acl_in deny tcp any any eq 47624

access-list acl_in deny tcp any any range 2300 2400

access-list acl_in deny udp any any range 2300 2400

access-list acl_in deny tcp any any eq 1863

access-list acl_in deny tcp any any eq 799

access-list acl_in deny tcp any any eq 666

access-list acl_in deny tcp any any eq 554

access-list acl_in deny udp any any range 1417 1420

access-list acl_in deny tcp any any eq 1503

access-list acl_in deny tcp any any eq 135

access-list acl_in deny tcp any any eq 1755

access-list acl_in deny udp any any eq 1755

access-list acl_in deny udp any any range 2000 2003

access-list acl_in deny tcp any any range 8000 9000

access-list acl_in deny tcp any any range 6112 6119

access-list acl_in deny udp any any range 6112 6119

access-list acl_in deny tcp any any range 2000 2003

access-list acl_in deny tcp any any eq 4020

access-list acl_in deny udp any any eq 4020

access-list acl_in deny tcp any any eq 4747

access-list acl_in deny tcp any any eq 4748

access-list acl_in deny tcp any any eq 10090

access-list acl_in deny udp any any eq 6144

access-list acl_in deny tcp any any eq 5050

access-list acl_in deny udp any any eq 5050

access-list acl_in deny udp any any eq 5190

access-list acl_in deny udp any any range 5190 5193

access-list acl_in deny tcp any any range 6665 6669

access-list acl_in deny tcp any any eq 11999

access-list acl_in deny tcp any any eq 18888

access-list acl_in deny tcp any any range 28800 29000

access-list acl_in deny udp any any range 28800 29000

access-list acl_in deny tcp any any range 9992 9997

access-list acl_in deny udp any any range 9992 9997

access-list acl_in deny tcp any any eq 5193

access-list acl_in deny udp any any range 8000 9000

access-list acl_in deny tcp any any range 6660 6900

access-list acl_in deny udp any any eq 113

access-list acl_in deny udp any any range 1024 5000

access-list acl_in deny tcp any any range 5000 5001

access-list acl_in deny tcp any any range 1024 5000

access-list acl_in deny udp any any eq 1863

access-list acl_in deny tcp any any eq 6901

access-list acl_in deny udp any any eq 6901

access-list acl_out permit icmp any any

access-list acl_out permit udp any host ns1 eq domain

access-list acl_out permit tcp any host ns1 eq domain

access-list acl_out permit tcp any host www eq ftp

access-list acl_out deny tcp host 195.38.89.148 host mail eq smtp

access-list acl_out permit tcp any host mail eq smtp

access-list acl_out permit tcp any host mail eq pop3

access-list acl_out permit tcp any host domino eq smtp

access-list acl_out permit tcp any host domino eq pop3

access-list acl_out permit tcp any host domino eq www

access-list acl_out permit tcp any host www eq www

access-list acl_out permit tcp any host www eq 1080

access-list acl_out permit tcp any host proxy eq www

access-list acl_out permit tcp any host proxy eq 1080

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside X.X.X.X 255.255.255.252

ip address inside X.X.X.X 255.255.255.252

ip address dmz X.X.X.X 255.255.255.248

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

nat (inside) 0 proxy 255.255.255.255 0 0

static (dmz,outside) mail mail netmask 255.255.255.255 0 0

static (dmz,outside) ns1 ns1 netmask 255.255.255.255 0 0

static (dmz,outside) www www netmask 255.255.255.255 0 0

static (dmz,outside) domino domino netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group acl_in in interface dmz

conduit permit tcp any eq telnet host X.X.X.X

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

route dmz mail 255.255.255.255 X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet proxy 255.255.255.255 inside

telnet proxy 255.255.255.255 dmz

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:1775083fff36841e4213c99106423c0b

acctually i add the dny access list but every one can access the yahoo or instant messager. should i remove the access-list acl_in permit ip any any

command ???

i affraid someone can entered our lan. when i check using who command and check on syslog there is none entered....

thank's

Re: Think I have an intruder

.

New Member

Re: Think I have an intruder

As was stated previously, the pix processess an access list in order - from the top down. The only line that gets processed in your acl-in list is the first line. It permits all ip traffic into the pix from the interfaces defined in the acl group command. That means that the criteria for that filter is met with any and all ip traffic that goes into the pix from the inside and dmz interfaces. Once traffic is allowed by the first permit statement, the pix doesn't subject it to any more tests. It just simply lets it pass through. You need to delete that statement from the beginning of your acl-in list and put it at the end of the list. Keep in mind that any ip traffic that doesn't match the criteria of any of the deny statements will pass through the interface anyway if you include this statement.

113
Views
0
Helpful
7
Replies
CreatePlease login to create content