Access-Lists to block internet abuse

Discussion in 'Cisco' started by paul_tomlin@hotmail.com, Sep 11, 2007.

  1. Guest

    Hi we've got two sites connected through site to site vpn's and we
    believe there is a large amount of p2p file sharing going on which may
    be using up precious bandwidth resulting in slow vpn tunnel
    performance. we've got a content filtering system in place which is
    monitoring/blocking 80 and 443 traffic but we'd like to stop MSN, P2P
    apps etc..

    So what i was hoping to do was to allow any traffic between the two
    sites, and only allow the following protocols to the internet 25,
    1723, 80, 443 i'm guessing i need to use a deny statement somewhere
    and then permit the other individually, can anyone shed some light on
    which interface the access lists should be applied to and what the
    deny statement should say bearing in mind i need the vpn to be
    unrestricted.

    my config is pasted below

    thanks for your help

    Paul

    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname firewall
    domain-name domain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list out-acl permit tcp any any eq ssh
    access-list out-acl permit icmp any any
    access-list out-acl permit ip 10.45.9.0 255.255.255.0 10.45.10.0
    255.255.254.0
    access-list out-acl permit tcp any any eq pptp
    access-list out-acl permit gre any any
    access-list out-acl permit tcp any host xxx.xxx.xxx.194 eq pptp
    access-list out-acl permit gre any host xxx.xxx.xxx.194
    access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
    255.255.254.0
    access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
    255.255.255.0
    access-list 100 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
    255.255.0.0
    access-list 110 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
    255.255.254.0
    access-list 120 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
    255.255.0.0
    access-list 130 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.194 255.255.255.248
    ip address inside 10.45.9.38 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 10.45.9.9 3389 netmask
    255.255.255.25
    5 0 0
    static (inside,outside) tcp interface pptp 10.45.9.9 pptp netmask
    255.255.255.25
    5 0 0
    access-group out-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 84.21.128.193 1
    timeout xlate 1193:00:00
    timeout conn 1193:00:00 half-closed 1193:00:00 udp 2:00:00 rpc 1:20:00
    h225 1:00
    :00
    timeout h323 0:40:00 mgcp 0:05:00 sip 4:00:00 sip_media 0:16:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:40:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    url-server (inside) vendor websense host 10.45.9.12 timeout 5 protocol
    TCP version 1
    url-cache dst 100KB
    filter url except 10.45.10.0 255.255.254.0 10.45.9.0 255.255.255.0
    filter url except 10.45.9.0 255.255.255.0 10.45.10.0 255.255.254.0
    filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    http server enable
    http 10.45.9.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection tcpmss 1300
    sysopt connection permit-ipsec
    crypto ipsec transform-set atosset esp-3des esp-sha-hmac
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 110
    crypto map newmap 10 set peer xxx.xxx.xxx.227
    crypto map newmap 10 set transform-set atosset
    crypto map newmap 20 ipsec-isakmp
    crypto map newmap 20 match address 120
    crypto map newmap 20 set peer xxx.xxx.xxx.21
    crypto map newmap 20 set transform-set atosset
    crypto map newmap 30 ipsec-isakmp
    crypto map newmap 30 match address 130
    crypto map newmap 30 set peer xxx.xxx.xxx.166
    crypto map newmap 30 set transform-set atosset
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address xxx.xxx.xxx.21 netmask 255.255.255.255 no-
    xauth no-co
    nfig-mode
    isakmp key ******** address xxx.xxx.xxx.166 netmask 255.255.255.255 no-
    xauth no-co
    nfig-mode
    isakmp key ******** address xxx.xxx.xxx.227 netmask 255.255.255.255 no-
    xauth no-con
    fig-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 25
    console timeout 0
    terminal width 80
    , Sep 11, 2007
    #1
    1. Advertising

  2. sek Guest

    On Sep 11, 8:18 pm, wrote:
    > Hi we've got two sites connected through site to site vpn's and we
    > believe there is a large amount of p2p file sharing going on which may
    > be using up precious bandwidth resulting in slow vpn tunnel
    > performance. we've got a content filtering system in place which is
    > monitoring/blocking 80 and 443 traffic but we'd like to stop MSN, P2P
    > apps etc..
    >
    > So what i was hoping to do was to allow any traffic between the two
    > sites, and only allow the following protocols to the internet 25,
    > 1723, 80, 443 i'm guessing i need to use a deny statement somewhere
    > and then permit the other individually, can anyone shed some light on
    > which interface the access lists should be applied to and what the
    > deny statement should say bearing in mind i need the vpn to be
    > unrestricted.
    >
    > my config is pasted below
    >
    > thanks for your help
    >
    > Paul
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname firewall
    > domain-name domain.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol pptp 1723
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list out-acl permit tcp any any eq ssh
    > access-list out-acl permit icmp any any
    > access-list out-acl permit ip 10.45.9.0 255.255.255.0 10.45.10.0
    > 255.255.254.0
    > access-list out-acl permit tcp any any eq pptp
    > access-list out-acl permit gre any any
    > access-list out-acl permit tcp any host xxx.xxx.xxx.194 eq pptp
    > access-list out-acl permit gre any host xxx.xxx.xxx.194
    > access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
    > 255.255.254.0
    > access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
    > 255.255.255.0
    > access-list 100 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
    > 255.255.0.0
    > access-list 110 permit ip 10.45.9.0 255.255.255.0 10.45.10.0
    > 255.255.254.0
    > access-list 120 permit ip 10.45.9.0 255.255.255.0 171.28.0.0
    > 255.255.0.0
    > access-list 130 permit ip 10.45.9.0 255.255.255.0 10.45.12.0
    > 255.255.255.0
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside xxx.xxx.xxx.194 255.255.255.248
    > ip address inside 10.45.9.38 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 100
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface 3389 10.45.9.9 3389 netmask
    > 255.255.255.25
    > 5 0 0
    > static (inside,outside) tcp interface pptp 10.45.9.9 pptp netmask
    > 255.255.255.25
    > 5 0 0
    > access-group out-acl in interface outside
    > route outside 0.0.0.0 0.0.0.0 84.21.128.193 1
    > timeout xlate 1193:00:00
    > timeout conn 1193:00:00 half-closed 1193:00:00 udp 2:00:00 rpc 1:20:00
    > h225 1:00
    > :00
    > timeout h323 0:40:00 mgcp 0:05:00 sip 4:00:00 sip_media 0:16:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:40:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > url-server (inside) vendor websense host 10.45.9.12 timeout 5 protocol
    > TCP version 1
    > url-cache dst 100KB
    > filter url except 10.45.10.0 255.255.254.0 10.45.9.0 255.255.255.0
    > filter url except 10.45.9.0 255.255.255.0 10.45.10.0 255.255.254.0
    > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > http server enable
    > http 10.45.9.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection tcpmss 1300
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set atosset esp-3des esp-sha-hmac
    > crypto map newmap 10 ipsec-isakmp
    > crypto map newmap 10 match address 110
    > crypto map newmap 10 set peer xxx.xxx.xxx.227
    > crypto map newmap 10 set transform-set atosset
    > crypto map newmap 20 ipsec-isakmp
    > crypto map newmap 20 match address 120
    > crypto map newmap 20 set peer xxx.xxx.xxx.21
    > crypto map newmap 20 set transform-set atosset
    > crypto map newmap 30 ipsec-isakmp
    > crypto map newmap 30 match address 130
    > crypto map newmap 30 set peer xxx.xxx.xxx.166
    > crypto map newmap 30 set transform-set atosset
    > crypto map newmap interface outside
    > isakmp enable outside
    > isakmp key ******** address xxx.xxx.xxx.21 netmask 255.255.255.255 no-
    > xauth no-co
    > nfig-mode
    > isakmp key ******** address xxx.xxx.xxx.166 netmask 255.255.255.255 no-
    > xauth no-co
    > nfig-mode
    > isakmp key ******** address xxx.xxx.xxx.227 netmask 255.255.255.255 no-
    > xauth no-con
    > fig-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash sha
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet 0.0.0.0 0.0.0.0 inside
    > telnet timeout 5
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh timeout 25
    > console timeout 0
    > terminal width 80


    Hi,

    check portforward.com to find which ports you should block for each
    P2P and then apply the access list closer to the source meaning it
    should be inbound to your inside interface. Usually ACL policies
    architecture consists of the rules: permit all, deny specific OR deny
    all, permit specific; depends on what suits you better.

    hope this helps,

    Nikos
    sek, Sep 12, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mara

    Fighting abuse with abuse

    Mara, Mar 21, 2005, in forum: Computer Support
    Replies:
    70
    Views:
    1,641
  2. VWWall

    Lists of Lists

    VWWall, Oct 20, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    468
    VWWall
    Oct 21, 2004
  3. Peter =?UTF-8?B?S8O2aGxtYW5u?=

    Re: Fighting abuse with abuse

    Peter =?UTF-8?B?S8O2aGxtYW5u?=, Mar 22, 2005, in forum: Computer Information
    Replies:
    0
    Views:
    443
    Peter =?UTF-8?B?S8O2aGxtYW5u?=
    Mar 22, 2005
  4. Dr Wankfest

    Abuse of the Net/Abuse on the Net

    Dr Wankfest, Jul 14, 2006, in forum: Computer Support
    Replies:
    14
    Views:
    632
    Plato
    Jul 19, 2006
  5. Finch

    New Zealand IP Block / Ban Lists

    Finch, Nov 4, 2006, in forum: NZ Computing
    Replies:
    3
    Views:
    626
    Finch
    Nov 5, 2006
Loading...

Share This Page