I need Cisco Pix 506E code for the following items

I need Cisco Pix 506E code for the following items

1.Code for blocking a ip address so that no internal users can connect to that IP address.

2.Code for blocking series of ip address so that no internal users can connect to that IP address group. For example i want to block

202.54.23.12 to 202.54.23.75

  1. Code for blocking a specific port on a specific ip address so that no internal users can connect to that IP address on the specified port.

Thanks, Marskarthik Home:

formatting link

Reply to
Marskarthik
Loading thread data ...

Any Cisco PIX image (version of code) will do that. The technology/concept is called "access-lists" which permit or deny network traffic based on, in this example, source and destination IP addresses or destination TCP/UDP port. Cisco PIX image files are subject to the usual software licensing and are currently not free.

Reply to
Scott Perry

access-list in2out deny ip any host XX.XX.XX.XX access-list in2out permit ip any any access-group in2out in interface inside

A) access-list in2out deny ip any 202.54.23.12 255.255.255.252 access-list in2out deny ip any 202.54.23.16 255.255.255.240 access-list in2out deny ip any 202.54.23.32 255.255.255.224 access-list in2out deny ip any 202.54.23.64 255.255.255.248 access-list in2out deny ip any 202.54.23.72 255.255.255.252 access-list in2out permit ip any any access-group in2out in interface inside

OR B)

object-group network BannedRange1 network-object 202.54.23.12 255.255.255.252 network-object 202.54.23.16 255.255.255.240 network-object 202.54.23.32 255.255.255.224 network-object 202.54.23.64 255.255.255.248 network-object 202.54.23.72 255.255.255.252 access-list in2out deny ip any object-group BannedRange1 access-list in2out permit ip any any access-group in2out in interface inside

OR C) access-list in2out deny ip any host 202.54.23.12 access-list in2out deny ip any host 202.54.23.13 access-list in2out deny ip any host 202.54.23.14 [...] access-list in2out deny ip any host 202.54.23.75 access-list in2out permit ip any any access-group in2out in interface inside

To forstall a question: NO, there is no way to just give a range of IP addresses such as 202.54.23.12-202.54.23.75 You get 'host' (for one specific host) and you get base addresses and network masks; no IP range operator.

access-list in2out deny tcp any host XX.XX.XX.XX eq 80 access-list in2out permit ip any any access-group in2out in interface inside

Notes:

- you should only have one "permit ip any any" (at most) and it should always be the very last thing in your access-list.

- you can only apply one access-list to any interface in PIX 6, so if you want to do several of these things together, put them all in the same access-list, then have the permit ip any any and then access-group that into control of the interface

- nothing in any of the above will prevent your users from using one of the thousands of proxy servers to access those hosts if they really want to.

- No, there is no simple way to block access to proxy servers. Security Best Practice is to only permit access to things that are definitely needed, instead of trying to selectively ban access to things that are forbidden.

Reply to
Walter Roberson

Thanks Walter. You have explained very clearly.

Thanks, Marskarthik Home:

formatting link

Reply to
Marskarthik

Several access-list entries which cover the ranges in between will work. Here is an example where an outbound traffic access list blocks data traffic going to what you mentioned, 202.54.23.12 to 202.54.23.75.

access-list 101 deny ip any 202.54.23.12 0.0.0.3 access-list 101 deny ip any 202.54.23.16 0.0.0.15 access-list 101 deny ip any 202.54.23.32 0.0.0.31 access-list 101 deny ip any 202.54.23.64 0.0.0.7 access-list 101 deny ip any 202.54.23.72 0.0.0.3 access-list 101 permit ip any any

That access list will do the following (in matching order): block any network traffic going to 202.54.23.12 through 202.54.23.15 block any network traffic going to 202.54.23.16 through 202.54.23.31 block any network traffic going to 202.54.23.32 through 202.54.23.63 block any network traffic going to 202.54.23.64 through 202.54.23.71 block any network traffic going to 202.54.23.72 through 202.54.23.75 permit any other network traffic

Reply to
Scott Perry

Unfortunately, that won't work. The PIX uses bit masks rather than wildcard bits. I gave the correct entries up-thread, in the message that was the parent of the one you were replying to.

access-list in2out deny ip any 202.54.23.12 255.255.255.252 access-list in2out deny ip any 202.54.23.16 255.255.255.240 access-list in2out deny ip any 202.54.23.32 255.255.255.224 access-list in2out deny ip any 202.54.23.64 255.255.255.248 access-list in2out deny ip any 202.54.23.72 255.255.255.252 access-list in2out permit ip any any

Futher note: in IOS, the sort of access-list you showed would have to be numbered, from 101 to 199 (or 2000 to 2699 but I never remember that range!). In PIX, the access-lists are named, and the names have no inherently significance. Numbers are considered valid names for this purpose, so access-list 101 is still fine, and access-list 1 would have been just as good too.

PIX access-list syntax changed again with PIX 7.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.