I am trying to block certain ports (Windows NetBios and other risky stuff) from going from LAN to WAN, but the exception is I do want to allow these ports over the VPN tunnel to the PIX at site A. (for the sake of Exchange and mapped network drives) How can I accomplish this on the PIX alone, I don't have another router as some are suggesting is nessesary. From the config below (PIX at site B) I have just blocked the WinCrap from going out of the PIX at all (to the Internet and/or over the Tunnel) is this accurate or what should be happening - cause it is. How do I make the distiction that I don't want it going out over the Internet but I do want it going out of access-list 100 or to the 192.168.[A].0 network?
On a similar note, how could I force all SIP or port 5060/1 traffic to go over the Tunnel (and out the Internet connection of PIX A) as opposed to going out over the Internet connection of PIX B?
object-group service WinCrap tcp-udp description : for blocking Windows slop from leaking outbound port-object range 135 139 port-object eq 445 port-object eq 593 port-object eq 4444 access-list inside_access_in deny tcp any any object-group WinCrap access-list inside_access_in deny udp any any object-group WinCrap access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any access-list outside_access_in permit tcp any any eq 554 access-list outside_access_in permit udp any any eq 554 access-list outside_access_in permit tcp any any eq 80 access-list outside_access_in permit icmp any any access-list outside_access_in deny ip any any access-list 100 permit ip 192.168.[B].0 255.255.255.0 192.168.[A].0
255.255.255.0 access-list 100 permit ip 192.168.[B].0 255.255.255.0 172.16.40.0 255.255.255.0 access-list vpn_splitTunnelAcl permit ip 192.168.[B].0 255.255.255.0 172.16.40.0 255.255.255.0 access-list 110 permit ip 192.168.[B].0 255.255.255.0 192.168.[A].0 255.255.255.0icmp permit any outside icmp permit any inside
ip address outside dhcp setroute retry 4 ip address inside 192.168.[B].1 255.255.255.0
ip local pool vpnrange 172.16.40.10-172.16.40.50
global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 554 192.168.[B].8 554 dns netmask
255.255.255.255 0 0 static (inside,outside) udp interface 554 192.168.[B].8 554 dns netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 80 192.168.[B].8 80 dns netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface insidecrypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 110
Thank you in advance for your time and expertise.