Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > How to block external IP address on PIX 515e

Reply
Thread Tools

How to block external IP address on PIX 515e

 
 
BillF
Guest
Posts: n/a
 
      10-10-2004
Greetings,

Last 2 weeks I noted one Nevada USA based company has been hammering us with
TONS of spam each day. The IP is identifiable.

Is there a comand that will block this IP range from entering into my LAN
from the external (Internet facing) interface? I have a range, I also have
the CIDR shorthand, and of course I have the subnet mask.

Thanks very much.

Bill


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-11-2004
In article <(E-Mail Removed)>,
BillF <(E-Mail Removed)> wrote:
:Last 2 weeks I noted one Nevada USA based company has been hammering us with
:TONS of spam each day. The IP is identifiable.

:Is there a comand that will block this IP range from entering into my LAN
:from the external (Internet facing) interface?

Sure. My apologies if I over-explain, but this is fairly basic
PIX configuration

Log on to the PIX, and 'enable', and 'config terminal'.
Now 'show access-group' and look for the name shown as being applied
against the 'outside' interface. For example,

npix(config)# show access-group
access-group acl-outside in interface outside
access-group acl-inside in interface inside

If there is no access-group associated with interface 'outside' then
that would be a little unusual, but by no means unheard-of: you
normally do have an access-group command for 'outside' even if you do
not have servers, as ICMP based ping will not be able to get responses
back to you if you do not have an 'outside' access-group.

If you do find the access-group, then the word after 'access-group' is
the name of an access-list. You can show the content of the access-list:

npix(config)# show access-list acl-outside
access-list acl-outside; 463 elements
access-list acl-outside line 1 permit icmp any interface outside echo-reply (hitcnt=0)
access-list acl-outside line 2 permit icmp any any unreachable (hitcnt=7612)
access-list acl-outside line 3 permit icmp any any time-exceeded (hitcnt=0)
[...]

Notice the 'line 1' and so on. If those line numbers show up for you, then
adding in the block you want is easy: just type in something like

npix(config)# access-list acl-outside line 1 deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp

for example,

npix(config)# access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any eq smtp

This will insert the block at the top of the access-list, *before* the
existing line 1 [*not* overwritting the existing line 1]. You can check
your work:

npix(config)# show access-list acl-outside
npix(config)# show access-list acl-outside
access-list acl-outside; 464 elements
access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any eq smtp (hitcnt=0)
access-list acl-outside line 2 permit icmp any interface outside echo-reply (hitcnt=0)
access-list acl-outside line 3 permit icmp any any unreachable (hitcnt=7622)
access-list acl-outside line 4 permit icmp any any time-exceeded (hitcnt=0)
[....]

At that point you can save the configuration by the 'write memory' command,
and then log out of the pix.


If the line numbers do not show up for you in the access-list, then
you are running an older software version, potentially as old as 5.2(1)
for that hardware, and you will need to do a bit more work.
There is more than one way you can proceed; I will describe only
one of them for simplicity.

Open a 'Notepad' or other editor session on your computer, and
then on the pix, command 'show running'. This will start out with
a lot of lines that you are not interested in. Keep scrolling down
until you find the lines that configure the access-list:

npix(config)# show running
: Saved
:
PIX Version ??.??(??)
[...]
access-list acl-outside permit icmp any interface outside echo-reply
access-list acl-outside permit icmp any any unreachable
access-list acl-outside permit icmp any any time-exceeded
[...]

Notice that in this display, there are no line numbers and no hit counts
given at the end of the line.

Now, copy all of these lines from the PIX session and paste them
into your editor session. Make sure you do not paste any of the
<--- More ---> prompts into your editor session, and watch out
that you only copy and paste to the end of the access-list you are
working with, as there will be no nice gap or marker to show the
end of the access-list and the start of the new one.

When you have copied all the lines into your edit session, go to the
top of the edit buffer, and add in the block line,

access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp

e.g.,

access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp

This is the same as the line I gave above for the case where line
numbers showed up, except with no 'line 1'. The 'line 1' is not really
part of the access-list entry anyhow, just a convenient way to edit
access-lists if you did have new enough software.

After you have put the appropriate line into your edit session, go
back to the pix and remove the previous access-list. This will
temporarily prevent new connections from the outside to any servers you
may have. [If it is very important that servers must be kept reachable,
then you should be getting someone with more PIX experience than you
to do this spam blocking.] The way to remove an access-list is to
configure 'no' access-list for it. For example,

npix(config): no access-list acl-outside

Having removed the old version of the access-list, now copy and
paste from the edit session to the pix configuration command. If you
have a very long access-list, you may have to do that in sections.
Doing it part by part is fine, as long as the entire access-list gets
transferred.

You can then check your work by using the 'show access-list' command
as described above. When you are satisfied that the access-list is the
way you want it, you will need another step before you can save the
configuration. You must 'access-group' the access-list 'in interface outside'
For example,

npix(config): access-group acl-outside in interface outside

You need to do this because when you removed the access-list with the 'no'
command, the PIX automatically removed the corresponding 'access-group'
command as well.

You can then save the configuration ('write memory') and log off the
pix.


If it happened that you had no access-group applied against the
outside interface, then you can just create an access-list and
apply it.

npix(config): access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp
npix(config): access-group acl-outside in interface outside

e.g.,

npix(config): access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp
npix(config): access-group acl-outside in interface outside

Then save the configuration ('write memory') and you can then log off the
pix.



There are other ways of achieving the same end, but the version above
is the easiest to explain, and you might at some point find yourself in
situations where you need to fall back to this kind of ACL editting
anyhow.
--
Entropy is the logarithm of probability -- Boltzmann
 
Reply With Quote
 
 
 
 
BillF
Guest
Posts: n/a
 
      10-11-2004
Walter.............

Thanks VERY much for the detailed explanation! I value your time, and
experience.

Seems there are 2 IPs that are sending us most of our incoming spam, by a
very high percentage.

Respctfully, Bill



"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:ckejpd$s5j$(E-Mail Removed)...
> In article <(E-Mail Removed)>,
> BillF <(E-Mail Removed)> wrote:
> :Last 2 weeks I noted one Nevada USA based company has been hammering us
> with
> :TONS of spam each day. The IP is identifiable.
>
> :Is there a comand that will block this IP range from entering into my LAN
> :from the external (Internet facing) interface?
>
> Sure. My apologies if I over-explain, but this is fairly basic
> PIX configuration
>
> Log on to the PIX, and 'enable', and 'config terminal'.
> Now 'show access-group' and look for the name shown as being applied
> against the 'outside' interface. For example,
>
> npix(config)# show access-group
> access-group acl-outside in interface outside
> access-group acl-inside in interface inside
>
> If there is no access-group associated with interface 'outside' then
> that would be a little unusual, but by no means unheard-of: you
> normally do have an access-group command for 'outside' even if you do
> not have servers, as ICMP based ping will not be able to get responses
> back to you if you do not have an 'outside' access-group.
>
> If you do find the access-group, then the word after 'access-group' is
> the name of an access-list. You can show the content of the access-list:
>
> npix(config)# show access-list acl-outside
> access-list acl-outside; 463 elements
> access-list acl-outside line 1 permit icmp any interface outside
> echo-reply (hitcnt=0)
> access-list acl-outside line 2 permit icmp any any unreachable
> (hitcnt=7612)
> access-list acl-outside line 3 permit icmp any any time-exceeded
> (hitcnt=0)
> [...]
>
> Notice the 'line 1' and so on. If those line numbers show up for you, then
> adding in the block you want is easy: just type in something like
>
> npix(config)# access-list acl-outside line 1 deny tcp SPAMMERSIP
> SPAMMERSNETMASK any eq smtp
>
> for example,
>
> npix(config)# access-list acl-outside line 1 deny tcp 11.22.44.128
> 255.255.255.128 any eq smtp
>
> This will insert the block at the top of the access-list, *before* the
> existing line 1 [*not* overwritting the existing line 1]. You can check
> your work:
>
> npix(config)# show access-list acl-outside
> npix(config)# show access-list acl-outside
> access-list acl-outside; 464 elements
> access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any
> eq smtp (hitcnt=0)
> access-list acl-outside line 2 permit icmp any interface outside
> echo-reply (hitcnt=0)
> access-list acl-outside line 3 permit icmp any any unreachable
> (hitcnt=7622)
> access-list acl-outside line 4 permit icmp any any time-exceeded
> (hitcnt=0)
> [....]
>
> At that point you can save the configuration by the 'write memory'
> command,
> and then log out of the pix.
>
>
> If the line numbers do not show up for you in the access-list, then
> you are running an older software version, potentially as old as 5.2(1)
> for that hardware, and you will need to do a bit more work.
> There is more than one way you can proceed; I will describe only
> one of them for simplicity.
>
> Open a 'Notepad' or other editor session on your computer, and
> then on the pix, command 'show running'. This will start out with
> a lot of lines that you are not interested in. Keep scrolling down
> until you find the lines that configure the access-list:
>
> npix(config)# show running
> : Saved
> :
> PIX Version ??.??(??)
> [...]
> access-list acl-outside permit icmp any interface outside echo-reply
> access-list acl-outside permit icmp any any unreachable
> access-list acl-outside permit icmp any any time-exceeded
> [...]
>
> Notice that in this display, there are no line numbers and no hit counts
> given at the end of the line.
>
> Now, copy all of these lines from the PIX session and paste them
> into your editor session. Make sure you do not paste any of the
> <--- More ---> prompts into your editor session, and watch out
> that you only copy and paste to the end of the access-list you are
> working with, as there will be no nice gap or marker to show the
> end of the access-list and the start of the new one.
>
> When you have copied all the lines into your edit session, go to the
> top of the edit buffer, and add in the block line,
>
> access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp
>
> e.g.,
>
> access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp
>
> This is the same as the line I gave above for the case where line
> numbers showed up, except with no 'line 1'. The 'line 1' is not really
> part of the access-list entry anyhow, just a convenient way to edit
> access-lists if you did have new enough software.
>
> After you have put the appropriate line into your edit session, go
> back to the pix and remove the previous access-list. This will
> temporarily prevent new connections from the outside to any servers you
> may have. [If it is very important that servers must be kept reachable,
> then you should be getting someone with more PIX experience than you
> to do this spam blocking.] The way to remove an access-list is to
> configure 'no' access-list for it. For example,
>
> npix(config): no access-list acl-outside
>
> Having removed the old version of the access-list, now copy and
> paste from the edit session to the pix configuration command. If you
> have a very long access-list, you may have to do that in sections.
> Doing it part by part is fine, as long as the entire access-list gets
> transferred.
>
> You can then check your work by using the 'show access-list' command
> as described above. When you are satisfied that the access-list is the
> way you want it, you will need another step before you can save the
> configuration. You must 'access-group' the access-list 'in interface
> outside'
> For example,
>
> npix(config): access-group acl-outside in interface outside
>
> You need to do this because when you removed the access-list with the 'no'
> command, the PIX automatically removed the corresponding 'access-group'
> command as well.
>
> You can then save the configuration ('write memory') and log off the
> pix.
>
>
> If it happened that you had no access-group applied against the
> outside interface, then you can just create an access-list and
> apply it.
>
> npix(config): access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK
> any eq smtp
> npix(config): access-group acl-outside in interface outside
>
> e.g.,
>
> npix(config): access-list acl-outside deny tcp 11.22.44.128
> 255.255.255.128 any eq smtp
> npix(config): access-group acl-outside in interface outside
>
> Then save the configuration ('write memory') and you can then log off the
> pix.
>
>
>
> There are other ways of achieving the same end, but the version above
> is the easiest to explain, and you might at some point find yourself in
> situations where you need to fall back to this kind of ACL editting
> anyhow.
> --
> Entropy is the logarithm of probability -- Boltzmann



 
Reply With Quote
 
BillF
Guest
Posts: n/a
 
      10-11-2004
Walter..........

I forgot to say, your directions were perfect. I found the acl "out" easy.
I unfortunately do not have line numbers. Version is PIX 6.3(1).

Can I insert line numbers for the future on the acl out list?

Thanks, Bill

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:ckejpd$s5j$(E-Mail Removed)...
> In article <(E-Mail Removed)>,
> BillF <(E-Mail Removed)> wrote:
> :Last 2 weeks I noted one Nevada USA based company has been hammering us
> with
> :TONS of spam each day. The IP is identifiable.
>
> :Is there a comand that will block this IP range from entering into my LAN
> :from the external (Internet facing) interface?
>
> Sure. My apologies if I over-explain, but this is fairly basic
> PIX configuration
>
> Log on to the PIX, and 'enable', and 'config terminal'.
> Now 'show access-group' and look for the name shown as being applied
> against the 'outside' interface. For example,
>
> npix(config)# show access-group
> access-group acl-outside in interface outside
> access-group acl-inside in interface inside
>
> If there is no access-group associated with interface 'outside' then
> that would be a little unusual, but by no means unheard-of: you
> normally do have an access-group command for 'outside' even if you do
> not have servers, as ICMP based ping will not be able to get responses
> back to you if you do not have an 'outside' access-group.
>
> If you do find the access-group, then the word after 'access-group' is
> the name of an access-list. You can show the content of the access-list:
>
> npix(config)# show access-list acl-outside
> access-list acl-outside; 463 elements
> access-list acl-outside line 1 permit icmp any interface outside
> echo-reply (hitcnt=0)
> access-list acl-outside line 2 permit icmp any any unreachable
> (hitcnt=7612)
> access-list acl-outside line 3 permit icmp any any time-exceeded
> (hitcnt=0)
> [...]
>
> Notice the 'line 1' and so on. If those line numbers show up for you, then
> adding in the block you want is easy: just type in something like
>
> npix(config)# access-list acl-outside line 1 deny tcp SPAMMERSIP
> SPAMMERSNETMASK any eq smtp
>
> for example,
>
> npix(config)# access-list acl-outside line 1 deny tcp 11.22.44.128
> 255.255.255.128 any eq smtp
>
> This will insert the block at the top of the access-list, *before* the
> existing line 1 [*not* overwritting the existing line 1]. You can check
> your work:
>
> npix(config)# show access-list acl-outside
> npix(config)# show access-list acl-outside
> access-list acl-outside; 464 elements
> access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any
> eq smtp (hitcnt=0)
> access-list acl-outside line 2 permit icmp any interface outside
> echo-reply (hitcnt=0)
> access-list acl-outside line 3 permit icmp any any unreachable
> (hitcnt=7622)
> access-list acl-outside line 4 permit icmp any any time-exceeded
> (hitcnt=0)
> [....]
>
> At that point you can save the configuration by the 'write memory'
> command,
> and then log out of the pix.
>
>
> If the line numbers do not show up for you in the access-list, then
> you are running an older software version, potentially as old as 5.2(1)
> for that hardware, and you will need to do a bit more work.
> There is more than one way you can proceed; I will describe only
> one of them for simplicity.
>
> Open a 'Notepad' or other editor session on your computer, and
> then on the pix, command 'show running'. This will start out with
> a lot of lines that you are not interested in. Keep scrolling down
> until you find the lines that configure the access-list:
>
> npix(config)# show running
> : Saved
> :
> PIX Version ??.??(??)
> [...]
> access-list acl-outside permit icmp any interface outside echo-reply
> access-list acl-outside permit icmp any any unreachable
> access-list acl-outside permit icmp any any time-exceeded
> [...]
>
> Notice that in this display, there are no line numbers and no hit counts
> given at the end of the line.
>
> Now, copy all of these lines from the PIX session and paste them
> into your editor session. Make sure you do not paste any of the
> <--- More ---> prompts into your editor session, and watch out
> that you only copy and paste to the end of the access-list you are
> working with, as there will be no nice gap or marker to show the
> end of the access-list and the start of the new one.
>
> When you have copied all the lines into your edit session, go to the
> top of the edit buffer, and add in the block line,
>
> access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp
>
> e.g.,
>
> access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp
>
> This is the same as the line I gave above for the case where line
> numbers showed up, except with no 'line 1'. The 'line 1' is not really
> part of the access-list entry anyhow, just a convenient way to edit
> access-lists if you did have new enough software.
>
> After you have put the appropriate line into your edit session, go
> back to the pix and remove the previous access-list. This will
> temporarily prevent new connections from the outside to any servers you
> may have. [If it is very important that servers must be kept reachable,
> then you should be getting someone with more PIX experience than you
> to do this spam blocking.] The way to remove an access-list is to
> configure 'no' access-list for it. For example,
>
> npix(config): no access-list acl-outside
>
> Having removed the old version of the access-list, now copy and
> paste from the edit session to the pix configuration command. If you
> have a very long access-list, you may have to do that in sections.
> Doing it part by part is fine, as long as the entire access-list gets
> transferred.
>
> You can then check your work by using the 'show access-list' command
> as described above. When you are satisfied that the access-list is the
> way you want it, you will need another step before you can save the
> configuration. You must 'access-group' the access-list 'in interface
> outside'
> For example,
>
> npix(config): access-group acl-outside in interface outside
>
> You need to do this because when you removed the access-list with the 'no'
> command, the PIX automatically removed the corresponding 'access-group'
> command as well.
>
> You can then save the configuration ('write memory') and log off the
> pix.
>
>
> If it happened that you had no access-group applied against the
> outside interface, then you can just create an access-list and
> apply it.
>
> npix(config): access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK
> any eq smtp
> npix(config): access-group acl-outside in interface outside
>
> e.g.,
>
> npix(config): access-list acl-outside deny tcp 11.22.44.128
> 255.255.255.128 any eq smtp
> npix(config): access-group acl-outside in interface outside
>
> Then save the configuration ('write memory') and you can then log off the
> pix.
>
>
>
> There are other ways of achieving the same end, but the version above
> is the easiest to explain, and you might at some point find yourself in
> situations where you need to fall back to this kind of ACL editting
> anyhow.
> --
> Entropy is the logarithm of probability -- Boltzmann



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-11-2004
In article <(E-Mail Removed)>,
BillF <(E-Mail Removed)> wrote:
:I forgot to say, your directions were perfect. I found the acl "out" easy.
:I unfortunately do not have line numbers. Version is PIX 6.3(1).

:Can I insert line numbers for the future on the acl out list?

The line numbers and easy ACL editting are from slightly newer
software, so you would have to upgrade your software. If you do not
have a maintenance contract, you would normally either have to get such
a contract or else buy a single release.

In your situation, you have another option. the software version you are
running, 6.3(1), has known security problems, so Cisco offers
free upgrades for it. There were -two- sets of security problems
found after 6.3(1) was released, so it happens that you can
get free upgrades from 6.3(1) all the way to the newest release, 6.3(4).
To do that, read the following link carefully:

http://www.cisco.com/en/US/products/...5f.shtml#fixes

As a quick summary, it says that if you got your machine from a VAR, then
contact the VAR and cite the document above, and the VAR should give you
the new version. If your VAR refuses or if you got the device directly
from Cisco or through a reseller who does not act as a VAR, then
you can contact the Cisco TAC and cite that document and they will make
the software available. [Some people have had trouble getting Cisco to
live up to this, but if you give the exact URL then you should be able
to push through.]

--
Inevitably, someone will flame me about this .signature.
 
Reply With Quote
 
BillF
Guest
Posts: n/a
 
      10-12-2004
Walter................

You are incredible - were you born with a PIX, instead of the usual toys??


Thanks VERY, very much.

Bill



"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:ckeu8b$cd9$(E-Mail Removed)...
> In article <(E-Mail Removed)>,
> BillF <(E-Mail Removed)> wrote:
> :I forgot to say, your directions were perfect. I found the acl "out"
> easy.
> :I unfortunately do not have line numbers. Version is PIX 6.3(1).
>
> :Can I insert line numbers for the future on the acl out list?
>
> The line numbers and easy ACL editting are from slightly newer
> software, so you would have to upgrade your software. If you do not
> have a maintenance contract, you would normally either have to get such
> a contract or else buy a single release.
>
> In your situation, you have another option. the software version you are
> running, 6.3(1), has known security problems, so Cisco offers
> free upgrades for it. There were -two- sets of security problems
> found after 6.3(1) was released, so it happens that you can
> get free upgrades from 6.3(1) all the way to the newest release, 6.3(4).
> To do that, read the following link carefully:
>
> http://www.cisco.com/en/US/products/...5f.shtml#fixes
>
> As a quick summary, it says that if you got your machine from a VAR, then
> contact the VAR and cite the document above, and the VAR should give you
> the new version. If your VAR refuses or if you got the device directly
> from Cisco or through a reseller who does not act as a VAR, then
> you can contact the Cisco TAC and cite that document and they will make
> the software available. [Some people have had trouble getting Cisco to
> live up to this, but if you give the exact URL then you should be able
> to push through.]
>
> --
> Inevitably, someone will flame me about this .signature.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515e and external router NAT problem. syropes Hardware 1 12-08-2007 04:41 AM
Fo:Block can you check to see if a block contains any text by using the block id? morrell XML 1 10-10-2006 07:18 PM
Pix 515e :can't reach my DMZ from inside with the public address tofe Cisco 5 05-30-2005 09:50 AM
PIX 515E Port address traslation question AA Cisco 5 07-02-2004 09:03 AM
Setting inside ip address on PIX 515E Harriet Cisco 1 05-28-2004 07:39 PM



Advertisments