Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > I need Cisco Pix 506E code for the following items

Reply
Thread Tools

I need Cisco Pix 506E code for the following items

 
 
Marskarthik
Guest
Posts: n/a
 
      07-06-2007
I need Cisco Pix 506E code for the following items

1.Code for blocking a ip address so that no internal users can connect
to that IP address.

2.Code for blocking series of ip address so that no internal users can
connect to that IP address group. For example i want to block
202.54.23.12 to 202.54.23.75

3. Code for blocking a specific port on a specific ip address so that
no internal users can connect to that IP address on the specified
port.

Thanks,
Marskarthik
Home: www.marskarthik.com

 
Reply With Quote
 
 
 
 
Scott Perry
Guest
Posts: n/a
 
      07-06-2007
Any Cisco PIX image (version of code) will do that. The technology/concept
is called "access-lists" which permit or deny network traffic based on, in
this example, source and destination IP addresses or destination TCP/UDP
port.
Cisco PIX image files are subject to the usual software licensing and are
currently not free.

--

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________
"Marskarthik" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>I need Cisco Pix 506E code for the following items
>
> 1.Code for blocking a ip address so that no internal users can connect
> to that IP address.
>
> 2.Code for blocking series of ip address so that no internal users can
> connect to that IP address group. For example i want to block
> 202.54.23.12 to 202.54.23.75
>
> 3. Code for blocking a specific port on a specific ip address so that
> no internal users can connect to that IP address on the specified
> port.
>
> Thanks,
> Marskarthik
> Home: www.marskarthik.com
>



 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-07-2007
In article <(E-Mail Removed). com>,
Marskarthik <(E-Mail Removed)> wrote:
>I need Cisco Pix 506E code for the following items


>1.Code for blocking a ip address so that no internal users can connect
>to that IP address.


access-list in2out deny ip any host XX.XX.XX.XX
access-list in2out permit ip any any
access-group in2out in interface inside

>2.Code for blocking series of ip address so that no internal users can
>connect to that IP address group. For example i want to block
>202.54.23.12 to 202.54.23.75


A)
access-list in2out deny ip any 202.54.23.12 255.255.255.252
access-list in2out deny ip any 202.54.23.16 255.255.255.240
access-list in2out deny ip any 202.54.23.32 255.255.255.224
access-list in2out deny ip any 202.54.23.64 255.255.255.248
access-list in2out deny ip any 202.54.23.72 255.255.255.252
access-list in2out permit ip any any
access-group in2out in interface inside

OR
B)

object-group network BannedRange1
network-object 202.54.23.12 255.255.255.252
network-object 202.54.23.16 255.255.255.240
network-object 202.54.23.32 255.255.255.224
network-object 202.54.23.64 255.255.255.248
network-object 202.54.23.72 255.255.255.252
access-list in2out deny ip any object-group BannedRange1
access-list in2out permit ip any any
access-group in2out in interface inside

OR
C)
access-list in2out deny ip any host 202.54.23.12
access-list in2out deny ip any host 202.54.23.13
access-list in2out deny ip any host 202.54.23.14
[...]
access-list in2out deny ip any host 202.54.23.75
access-list in2out permit ip any any
access-group in2out in interface inside

To forstall a question: NO, there is no way to just give a
range of IP addresses such as 202.54.23.12-202.54.23.75
You get 'host' (for one specific host) and you get
base addresses and network masks; no IP range operator.


>3. Code for blocking a specific port on a specific ip address so that
>no internal users can connect to that IP address on the specified
>port.


access-list in2out deny tcp any host XX.XX.XX.XX eq 80
access-list in2out permit ip any any
access-group in2out in interface inside


Notes:

- you should only have one "permit ip any any" (at most)
and it should always be the very last thing in your access-list.

- you can only apply one access-list to any interface in PIX 6,
so if you want to do several of these things together, put them
all in the same access-list, then have the permit ip any any
and then access-group that into control of the interface

- nothing in any of the above will prevent your users from using one
of the thousands of proxy servers to access those hosts if they
really want to.

- No, there is no simple way to block access to proxy servers.
Security Best Practice is to only permit access to things that are
definitely needed, instead of trying to selectively ban access to
things that are forbidden.
 
Reply With Quote
 
Marskarthik
Guest
Posts: n/a
 
      07-09-2007
Thanks Walter. You have explained very clearly.

Thanks,
Marskarthik
Home: www.marskarthik.com


On Jul 7, 6:29 am, (E-Mail Removed) (Walter Roberson) wrote:
> In article <(E-Mail Removed). com>,
>
> Marskarthik <(E-Mail Removed)> wrote:
> >I need Cisco Pix 506E code for the following items
> >1.Code for blocking a ip address so that no internal users can connect
> >to that IP address.

>
> access-list in2out deny ip any host XX.XX.XX.XX
> access-list in2out permit ip any any
> access-group in2out in interface inside
>
> >2.Code for blocking series of ip address so that no internal users can
> >connect to that IP address group. For example i want to block
> >202.54.23.12 to 202.54.23.75

>
> A)
> access-list in2out deny ip any 202.54.23.12 255.255.255.252
> access-list in2out deny ip any 202.54.23.16 255.255.255.240
> access-list in2out deny ip any 202.54.23.32 255.255.255.224
> access-list in2out deny ip any 202.54.23.64 255.255.255.248
> access-list in2out deny ip any 202.54.23.72 255.255.255.252
> access-list in2out permit ip any any
> access-group in2out in interface inside
>
> OR
> B)
>
> object-group network BannedRange1
> network-object 202.54.23.12 255.255.255.252
> network-object 202.54.23.16 255.255.255.240
> network-object 202.54.23.32 255.255.255.224
> network-object 202.54.23.64 255.255.255.248
> network-object 202.54.23.72 255.255.255.252
> access-list in2out deny ip any object-group BannedRange1
> access-list in2out permit ip any any
> access-group in2out in interface inside
>
> OR
> C)
> access-list in2out deny ip any host 202.54.23.12
> access-list in2out deny ip any host 202.54.23.13
> access-list in2out deny ip any host 202.54.23.14
> [...]
> access-list in2out deny ip any host 202.54.23.75
> access-list in2out permit ip any any
> access-group in2out in interface inside
>
> To forstall a question: NO, there is no way to just give a
> range of IP addresses such as 202.54.23.12-202.54.23.75
> You get 'host' (for one specific host) and you get
> base addresses and network masks; no IP range operator.
>
> >3. Code for blocking a specific port on a specific ip address so that
> >no internal users can connect to that IP address on the specified
> >port.

>
> access-list in2out deny tcp any host XX.XX.XX.XX eq 80
> access-list in2out permit ip any any
> access-group in2out in interface inside
>
> Notes:
>
> - you should only have one "permit ip any any" (at most)
> and it should always be the very last thing in your access-list.
>
> - you can only apply one access-list to any interface in PIX 6,
> so if you want to do several of these things together, put them
> all in the same access-list, then have the permit ip any any
> and then access-group that into control of the interface
>
> - nothing in any of the above will prevent your users from using one
> of the thousands of proxy servers to access those hosts if they
> really want to.
>
> - No, there is no simple way to block access to proxy servers.
> Security Best Practice is to only permit access to things that are
> definitely needed, instead of trying to selectively ban access to
> things that are forbidden.



 
Reply With Quote
 
Scott Perry
Guest
Posts: n/a
 
      07-09-2007
>> >2.Code for blocking series of ip address so that no internal users can
>> >connect to that IP address group. For example i want to block
>> >202.54.23.12 to 202.54.23.75


Several access-list entries which cover the ranges in between will work.
Here is an example where an outbound traffic access list blocks data traffic
going to what you mentioned, 202.54.23.12 to 202.54.23.75.

access-list 101 deny ip any 202.54.23.12 0.0.0.3
access-list 101 deny ip any 202.54.23.16 0.0.0.15
access-list 101 deny ip any 202.54.23.32 0.0.0.31
access-list 101 deny ip any 202.54.23.64 0.0.0.7
access-list 101 deny ip any 202.54.23.72 0.0.0.3
access-list 101 permit ip any any

That access list will do the following (in matching order):
block any network traffic going to 202.54.23.12 through 202.54.23.15
block any network traffic going to 202.54.23.16 through 202.54.23.31
block any network traffic going to 202.54.23.32 through 202.54.23.63
block any network traffic going to 202.54.23.64 through 202.54.23.71
block any network traffic going to 202.54.23.72 through 202.54.23.75
permit any other network traffic
--

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-10-2007
In article <469268e6$0$21259$(E-Mail Removed)>,
Scott Perry <scottperry@aciscocompany> wrote:
>>> >2.Code for blocking series of ip address so that no internal users can
>>> >connect to that IP address group. For example i want to block
>>> >202.54.23.12 to 202.54.23.75

>
>Several access-list entries which cover the ranges in between will work.
>Here is an example where an outbound traffic access list blocks data traffic
>going to what you mentioned, 202.54.23.12 to 202.54.23.75.


>access-list 101 deny ip any 202.54.23.12 0.0.0.3
>access-list 101 deny ip any 202.54.23.16 0.0.0.15
>access-list 101 deny ip any 202.54.23.32 0.0.0.31
>access-list 101 deny ip any 202.54.23.64 0.0.0.7
>access-list 101 deny ip any 202.54.23.72 0.0.0.3
>access-list 101 permit ip any any


Unfortunately, that won't work. The PIX uses bit masks rather than
wildcard bits. I gave the correct entries up-thread, in the
message that was the parent of the one you were replying to.

access-list in2out deny ip any 202.54.23.12 255.255.255.252
access-list in2out deny ip any 202.54.23.16 255.255.255.240
access-list in2out deny ip any 202.54.23.32 255.255.255.224
access-list in2out deny ip any 202.54.23.64 255.255.255.248
access-list in2out deny ip any 202.54.23.72 255.255.255.252
access-list in2out permit ip any any


Futher note: in IOS, the sort of access-list you showed would
have to be numbered, from 101 to 199 (or 2000 to 2699 but I never
remember that range!). In PIX, the access-lists are named, and the
names have no inherently significance. Numbers are considered valid names
for this purpose, so access-list 101 is still fine, and access-list 1
would have been just as good too.

PIX access-list syntax changed again with PIX 7.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco ASA 5510 to Cisco PIX 506E VPN Tunnel, Dropping RDP andypatterson24 Cisco 2 04-25-2008 07:41 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 2) Michiel Cisco 2 08-22-2006 08:46 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT Michiel Cisco 4 08-22-2006 12:26 PM
VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005 Kai Cisco 0 02-15-2005 02:03 PM
VOIP using Cisco PIX 506e and Cisco 837 paul tomlinson Cisco 1 01-21-2004 11:09 PM



Advertisments