Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Access-Lists to block internet abuse

Reply
Thread Tools

Access-Lists to block internet abuse

 
 
paul_tomlin@hotmail.com
Guest
Posts: n/a
 
      09-11-2007
Hi we've got two sites connected through site to site vpn's and we
believe there is a large amount of p2p file sharing going on which may
be using up precious bandwidth resulting in slow vpn tunnel
performance. we've got a content filtering system in place which is
monitoring/blocking 80 and 443 traffic but we'd like to stop MSN, P2P
apps etc..

So what i was hoping to do was to allow any traffic between the two
sites, and only allow the following protocols to the internet 25,
1723, 80, 443 i'm guessing i need to use a deny statement somewhere
and then permit the other individually, can anyone shed some light on
which interface the access lists should be applied to and what the
deny statement should say bearing in mind i need the vpn to be
unrestricted.

my config is pasted below

thanks for your help

Paul

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname firewall
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out-acl permit tcp any any eq ssh
access-list out-acl permit icmp any any
access-list out-acl permit ip 10.45.9.0 255.255.255.0 10.45.10.0
255.255.254.0
access-list out-acl permit tcp any any eq pptp
access-list out-acl permit gre any any
access-list out-acl permit tcp any host xxx.xxx.xxx.194 eq pptp
access-list out-acl permit gre any host xxx.xxx.xxx.194
access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
255.255.254.0
access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
255.255.255.0
access-list 100 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
255.255.0.0
access-list 110 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
255.255.254.0
access-list 120 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
255.255.0.0
access-list 130 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.194 255.255.255.248
ip address inside 10.45.9.38 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.45.9.9 3389 netmask
255.255.255.25
5 0 0
static (inside,outside) tcp interface pptp 10.45.9.9 pptp netmask
255.255.255.25
5 0 0
access-group out-acl in interface outside
route outside 0.0.0.0 0.0.0.0 84.21.128.193 1
timeout xlate 1193:00:00
timeout conn 1193:00:00 half-closed 1193:00:00 udp 2:00:00 rpc 1:20:00
h225 1:00
:00
timeout h323 0:40:00 mgcp 0:05:00 sip 4:00:00 sip_media 0:16:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:40:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.45.9.12 timeout 5 protocol
TCP version 1
url-cache dst 100KB
filter url except 10.45.10.0 255.255.254.0 10.45.9.0 255.255.255.0
filter url except 10.45.9.0 255.255.255.0 10.45.10.0 255.255.254.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 10.45.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set atosset esp-3des esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer xxx.xxx.xxx.227
crypto map newmap 10 set transform-set atosset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer xxx.xxx.xxx.21
crypto map newmap 20 set transform-set atosset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer xxx.xxx.xxx.166
crypto map newmap 30 set transform-set atosset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.21 netmask 255.255.255.255 no-
xauth no-co
nfig-mode
isakmp key ******** address xxx.xxx.xxx.166 netmask 255.255.255.255 no-
xauth no-co
nfig-mode
isakmp key ******** address xxx.xxx.xxx.227 netmask 255.255.255.255 no-
xauth no-con
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 25
console timeout 0
terminal width 80

 
Reply With Quote
 
 
 
 
sek
Guest
Posts: n/a
 
      09-12-2007
On Sep 11, 8:18 pm, (E-Mail Removed) wrote:
> Hi we've got two sites connected through site to site vpn's and we
> believe there is a large amount of p2p file sharing going on which may
> be using up precious bandwidth resulting in slow vpn tunnel
> performance. we've got a content filtering system in place which is
> monitoring/blocking 80 and 443 traffic but we'd like to stop MSN, P2P
> apps etc..
>
> So what i was hoping to do was to allow any traffic between the two
> sites, and only allow the following protocols to the internet 25,
> 1723, 80, 443 i'm guessing i need to use a deny statement somewhere
> and then permit the other individually, can anyone shed some light on
> which interface the access lists should be applied to and what the
> deny statement should say bearing in mind i need the vpn to be
> unrestricted.
>
> my config is pasted below
>
> thanks for your help
>
> Paul
>
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname firewall
> domain-name domain.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol pptp 1723
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> no fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list out-acl permit tcp any any eq ssh
> access-list out-acl permit icmp any any
> access-list out-acl permit ip 10.45.9.0 255.255.255.0 10.45.10.0
> 255.255.254.0
> access-list out-acl permit tcp any any eq pptp
> access-list out-acl permit gre any any
> access-list out-acl permit tcp any host xxx.xxx.xxx.194 eq pptp
> access-list out-acl permit gre any host xxx.xxx.xxx.194
> access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
> 255.255.254.0
> access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
> 255.255.255.0
> access-list 100 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
> 255.255.0.0
> access-list 110 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
> 255.255.254.0
> access-list 120 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
> 255.255.0.0
> access-list 130 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> ip address outside xxx.xxx.xxx.194 255.255.255.248
> ip address inside 10.45.9.38 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 100
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface 3389 10.45.9.9 3389 netmask
> 255.255.255.25
> 5 0 0
> static (inside,outside) tcp interface pptp 10.45.9.9 pptp netmask
> 255.255.255.25
> 5 0 0
> access-group out-acl in interface outside
> route outside 0.0.0.0 0.0.0.0 84.21.128.193 1
> timeout xlate 1193:00:00
> timeout conn 1193:00:00 half-closed 1193:00:00 udp 2:00:00 rpc 1:20:00
> h225 1:00
> :00
> timeout h323 0:40:00 mgcp 0:05:00 sip 4:00:00 sip_media 0:16:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:40:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> url-server (inside) vendor websense host 10.45.9.12 timeout 5 protocol
> TCP version 1
> url-cache dst 100KB
> filter url except 10.45.10.0 255.255.254.0 10.45.9.0 255.255.255.0
> filter url except 10.45.9.0 255.255.255.0 10.45.10.0 255.255.254.0
> filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
> http server enable
> http 10.45.9.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection tcpmss 1300
> sysopt connection permit-ipsec
> crypto ipsec transform-set atosset esp-3des esp-sha-hmac
> crypto map newmap 10 ipsec-isakmp
> crypto map newmap 10 match address 110
> crypto map newmap 10 set peer xxx.xxx.xxx.227
> crypto map newmap 10 set transform-set atosset
> crypto map newmap 20 ipsec-isakmp
> crypto map newmap 20 match address 120
> crypto map newmap 20 set peer xxx.xxx.xxx.21
> crypto map newmap 20 set transform-set atosset
> crypto map newmap 30 ipsec-isakmp
> crypto map newmap 30 match address 130
> crypto map newmap 30 set peer xxx.xxx.xxx.166
> crypto map newmap 30 set transform-set atosset
> crypto map newmap interface outside
> isakmp enable outside
> isakmp key ******** address xxx.xxx.xxx.21 netmask 255.255.255.255 no-
> xauth no-co
> nfig-mode
> isakmp key ******** address xxx.xxx.xxx.166 netmask 255.255.255.255 no-
> xauth no-co
> nfig-mode
> isakmp key ******** address xxx.xxx.xxx.227 netmask 255.255.255.255 no-
> xauth no-con
> fig-mode
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> telnet 0.0.0.0 0.0.0.0 inside
> telnet timeout 5
> ssh 0.0.0.0 0.0.0.0 outside
> ssh timeout 25
> console timeout 0
> terminal width 80


Hi,

check portforward.com to find which ports you should block for each
P2P and then apply the access list closer to the source meaning it
should be inbound to your inside interface. Usually ACL policies
architecture consists of the rules: permit all, deny specific OR deny
all, permit specific; depends on what suits you better.

hope this helps,

Nikos

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fo:Block can you check to see if a block contains any text by using the block id? morrell XML 1 10-10-2006 07:18 PM
Abuse of the Net/Abuse on the Net Dr Wankfest Computer Support 14 07-19-2006 10:31 PM
Fighting abuse with abuse Mara Computer Support 70 03-24-2005 08:30 PM
Re: Fighting abuse with abuse Peter =?UTF-8?B?S8O2aGxtYW5u?= Computer Information 0 03-22-2005 10:31 AM



Advertisments