Any Cisco PIX image (version of code) will do that. The technology/concept is called "access-lists" which permit or deny network traffic based on, in this example, source and destination IP addresses or destination TCP/UDP port. Cisco PIX image files are subject to the usual software licensing and are currently not free.
access-list in2out deny ip any host XX.XX.XX.XX access-list in2out permit ip any any access-group in2out in interface inside
A) access-list in2out deny ip any 202.54.23.12 255.255.255.252 access-list in2out deny ip any 202.54.23.16 255.255.255.240 access-list in2out deny ip any 202.54.23.32 255.255.255.224 access-list in2out deny ip any 202.54.23.64 255.255.255.248 access-list in2out deny ip any 202.54.23.72 255.255.255.252 access-list in2out permit ip any any access-group in2out in interface inside
OR B)
object-group network BannedRange1 network-object 202.54.23.12 255.255.255.252 network-object 202.54.23.16 255.255.255.240 network-object 202.54.23.32 255.255.255.224 network-object 202.54.23.64 255.255.255.248 network-object 202.54.23.72 255.255.255.252 access-list in2out deny ip any object-group BannedRange1 access-list in2out permit ip any any access-group in2out in interface inside
OR C) access-list in2out deny ip any host 202.54.23.12 access-list in2out deny ip any host 202.54.23.13 access-list in2out deny ip any host 202.54.23.14 [...] access-list in2out deny ip any host 202.54.23.75 access-list in2out permit ip any any access-group in2out in interface inside
To forstall a question: NO, there is no way to just give a range of IP addresses such as 202.54.23.12-202.54.23.75 You get 'host' (for one specific host) and you get base addresses and network masks; no IP range operator.
access-list in2out deny tcp any host XX.XX.XX.XX eq 80 access-list in2out permit ip any any access-group in2out in interface inside
Notes:
- you should only have one "permit ip any any" (at most) and it should always be the very last thing in your access-list.
- you can only apply one access-list to any interface in PIX 6, so if you want to do several of these things together, put them all in the same access-list, then have the permit ip any any and then access-group that into control of the interface
- nothing in any of the above will prevent your users from using one of the thousands of proxy servers to access those hosts if they really want to.
- No, there is no simple way to block access to proxy servers. Security Best Practice is to only permit access to things that are definitely needed, instead of trying to selectively ban access to things that are forbidden.
Several access-list entries which cover the ranges in between will work. Here is an example where an outbound traffic access list blocks data traffic going to what you mentioned, 202.54.23.12 to 202.54.23.75.
access-list 101 deny ip any 202.54.23.12 0.0.0.3 access-list 101 deny ip any 202.54.23.16 0.0.0.15 access-list 101 deny ip any 202.54.23.32 0.0.0.31 access-list 101 deny ip any 202.54.23.64 0.0.0.7 access-list 101 deny ip any 202.54.23.72 0.0.0.3 access-list 101 permit ip any any
That access list will do the following (in matching order): block any network traffic going to 202.54.23.12 through 202.54.23.15 block any network traffic going to 202.54.23.16 through 202.54.23.31 block any network traffic going to 202.54.23.32 through 202.54.23.63 block any network traffic going to 202.54.23.64 through 202.54.23.71 block any network traffic going to 202.54.23.72 through 202.54.23.75 permit any other network traffic
Unfortunately, that won't work. The PIX uses bit masks rather than wildcard bits. I gave the correct entries up-thread, in the message that was the parent of the one you were replying to.
access-list in2out deny ip any 202.54.23.12 255.255.255.252 access-list in2out deny ip any 202.54.23.16 255.255.255.240 access-list in2out deny ip any 202.54.23.32 255.255.255.224 access-list in2out deny ip any 202.54.23.64 255.255.255.248 access-list in2out deny ip any 202.54.23.72 255.255.255.252 access-list in2out permit ip any any
Futher note: in IOS, the sort of access-list you showed would have to be numbered, from 101 to 199 (or 2000 to 2699 but I never remember that range!). In PIX, the access-lists are named, and the names have no inherently significance. Numbers are considered valid names for this purpose, so access-list 101 is still fine, and access-list 1 would have been just as good too.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.