01-03-2003 01:45 PM - edited 03-09-2019 01:33 AM
I keep seeing an outside(internet) ip address on my inside proxy server. I have the proxy server setup to only accept my inside(dummy) addresses but saomehow this one ip address keeps showing up on my active users list. The stupid proxy server software has no way to ban an ip addresss that I can find. I really do not have a clue what's going on but I would like to figure out a way to ban or deny access thru the PIX for this ip address. So I guess my question is, is it just as simple as adding an access-list statement to deny the ip or is there something else I need to do? I have been trying to add an access-list but it will not accpet what I am typing in. Can anyone tell me exactly what I need to do to totally deny access from a certain ip from coming in thru the PIX? Thanks in advance!
D
01-03-2003 02:48 PM
Hi,
by default all inbound access through the pix is blocked. So there already has to be an allowing access-list in place. It is indeed just as simple as adding an extra line to the access-list to block the traffic.
Keep in mind the an access-list is processed from top to down. So you may have to remove the access-list and then recreate the access-list again with your new line at the right possition.
This access-list is applied to an interface with the 'access-group' command. This command should also be in place already since inbound traffic from the foreign address is allowed.
If you have any more questions, don't hesitate to post them.
Kind Regards,
Tom
01-06-2003 06:28 AM
I didn't set this thing up. An "expert" was payed to come in and set this it up but he never got it working before he left. I had to finish setting it up but I may have missed some important settings like this since I have no idea what I'm doing.
So here is what my config shows now as far as access-lists...........
---access-list acl_out permit ip any any
---access-list acl_out permit icmp any any
---access-list acl_in permit icmp any any
---access-list acl_in ip permit any any
Then further down in my config is this line.....
---access-group acl_out in interface outside
So can you tell me what this does and what I should do to make it more secure or at least be able to block this one IP address?? Thanks much!
01-06-2003 08:25 AM
Going by your access list, it clearly states that you're allowing everything from outside. Change your access list from permit ip any any to the specific traffic needs to be permitted. If you don't have any idea of what type of traffic to permit, log all the traffic to sys log server for a week leaving the current pix setting as it is. Log file build over the period of week should give you an idea as to what kind of traffic to be permitted.
Desh
01-06-2003 02:09 PM
Hi,
with the above command in place, you have NO SECURITY at all.
For the moment everyone from the internet is allowed to you internal network.
Is you don't need inbound traffic originating from the internet towards your internal lan, then please remove the 'access-group' command as soon as possible. This is the command you have to issue for this:
no access-group acl_out in interface outside
If you need further help, don't hesitate to post your questions.
Kind Regards,
Tom
01-06-2003 10:54 PM
hi...
my i ask about blocking the msn, instant massenger, or mp3 download from inside. my 515 configuration is :
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 0iIXp.lkzLvk75q1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MetroTV-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
name X.X.X.X ns1
name X.X.X.X proxy
name X.X.X.X domino
name X.X.X.X mail
name X.X.X.X www
access-list acl_in permit ip any any
access-list acl_in deny tcp any any eq 47624
access-list acl_in deny tcp any any range 2300 2400
access-list acl_in deny udp any any range 2300 2400
access-list acl_in deny tcp any any eq 1863
access-list acl_in deny tcp any any eq 799
access-list acl_in deny tcp any any eq 666
access-list acl_in deny tcp any any eq 554
access-list acl_in deny udp any any range 1417 1420
access-list acl_in deny tcp any any eq 1503
access-list acl_in deny tcp any any eq 135
access-list acl_in deny tcp any any eq 1755
access-list acl_in deny udp any any eq 1755
access-list acl_in deny udp any any range 2000 2003
access-list acl_in deny tcp any any range 8000 9000
access-list acl_in deny tcp any any range 6112 6119
access-list acl_in deny udp any any range 6112 6119
access-list acl_in deny tcp any any range 2000 2003
access-list acl_in deny tcp any any eq 4020
access-list acl_in deny udp any any eq 4020
access-list acl_in deny tcp any any eq 4747
access-list acl_in deny tcp any any eq 4748
access-list acl_in deny tcp any any eq 10090
access-list acl_in deny udp any any eq 6144
access-list acl_in deny tcp any any eq 5050
access-list acl_in deny udp any any eq 5050
access-list acl_in deny udp any any eq 5190
access-list acl_in deny udp any any range 5190 5193
access-list acl_in deny tcp any any range 6665 6669
access-list acl_in deny tcp any any eq 11999
access-list acl_in deny tcp any any eq 18888
access-list acl_in deny tcp any any range 28800 29000
access-list acl_in deny udp any any range 28800 29000
access-list acl_in deny tcp any any range 9992 9997
access-list acl_in deny udp any any range 9992 9997
access-list acl_in deny tcp any any eq 5193
access-list acl_in deny udp any any range 8000 9000
access-list acl_in deny tcp any any range 6660 6900
access-list acl_in deny udp any any eq 113
access-list acl_in deny udp any any range 1024 5000
access-list acl_in deny tcp any any range 5000 5001
access-list acl_in deny tcp any any range 1024 5000
access-list acl_in deny udp any any eq 1863
access-list acl_in deny tcp any any eq 6901
access-list acl_in deny udp any any eq 6901
access-list acl_out permit icmp any any
access-list acl_out permit udp any host ns1 eq domain
access-list acl_out permit tcp any host ns1 eq domain
access-list acl_out permit tcp any host www eq ftp
access-list acl_out deny tcp host 195.38.89.148 host mail eq smtp
access-list acl_out permit tcp any host mail eq smtp
access-list acl_out permit tcp any host mail eq pop3
access-list acl_out permit tcp any host domino eq smtp
access-list acl_out permit tcp any host domino eq pop3
access-list acl_out permit tcp any host domino eq www
access-list acl_out permit tcp any host www eq www
access-list acl_out permit tcp any host www eq 1080
access-list acl_out permit tcp any host proxy eq www
access-list acl_out permit tcp any host proxy eq 1080
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside X.X.X.X 255.255.255.252
ip address inside X.X.X.X 255.255.255.252
ip address dmz X.X.X.X 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 proxy 255.255.255.255 0 0
static (dmz,outside) mail mail netmask 255.255.255.255 0 0
static (dmz,outside) ns1 ns1 netmask 255.255.255.255 0 0
static (dmz,outside) www www netmask 255.255.255.255 0 0
static (dmz,outside) domino domino netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_in in interface dmz
conduit permit tcp any eq telnet host X.X.X.X
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route dmz mail 255.255.255.255 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet proxy 255.255.255.255 inside
telnet proxy 255.255.255.255 dmz
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:1775083fff36841e4213c99106423c0b
acctually i add the dny access list but every one can access the yahoo or instant messager. should i remove the access-list acl_in permit ip any any
command ???
i affraid someone can entered our lan. when i check using who command and check on syslog there is none entered....
thank's
01-07-2003 12:47 PM
.
01-08-2003 07:18 AM
As was stated previously, the pix processess an access list in order - from the top down. The only line that gets processed in your acl-in list is the first line. It permits all ip traffic into the pix from the interfaces defined in the acl group command. That means that the criteria for that filter is met with any and all ip traffic that goes into the pix from the inside and dmz interfaces. Once traffic is allowed by the first permit statement, the pix doesn't subject it to any more tests. It just simply lets it pass through. You need to delete that statement from the beginning of your acl-in list and put it at the end of the list. Keep in mind that any ip traffic that doesn't match the criteria of any of the deny statements will pass through the interface anyway if you include this statement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide