block ports out to internet but not out over site-to-site tunnel

Discussion in 'Cisco' started by softking, Mar 6, 2006.

  1. softking

    softking Guest

    I am trying to block certain ports (Windows NetBios and other risky stuff)
    from going from LAN to WAN, but the exception is I do want to allow these
    ports over the VPN tunnel to the PIX at site A. (for the sake of Exchange
    and mapped network drives) How can I accomplish this on the PIX alone, I
    don't have another router as some are suggesting is nessesary. From the
    config below (PIX at site B) I have just blocked the WinCrap from going out
    of the PIX at all (to the Internet and/or over the Tunnel) is this accurate
    or what should be happening - cause it is. How do I make the distiction
    that I don't want it going out over the Internet but I do want it going out
    of access-list 100 or to the 192.168.[A].0 network?

    On a similar note, how could I force all SIP or port 5060/1 traffic to go
    over the Tunnel (and out the Internet connection of PIX A) as opposed to
    going out over the Internet connection of PIX B?

    object-group service WinCrap tcp-udp
    description : for blocking Windows slop from leaking outbound
    port-object range 135 139
    port-object eq 445
    port-object eq 593
    port-object eq 4444
    access-list inside_access_in deny tcp any any object-group WinCrap
    access-list inside_access_in deny udp any any object-group WinCrap
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit icmp any any
    access-list outside_access_in permit tcp any any eq 554
    access-list outside_access_in permit udp any any eq 554
    access-list outside_access_in permit tcp any any eq 80
    access-list outside_access_in permit icmp any any
    access-list outside_access_in deny ip any any
    access-list 100 permit ip 192.168..0 255.255.255.0 192.168.[A].0
    255.255.255.0
    access-list 100 permit ip 192.168..0 255.255.255.0 172.16.40.0
    255.255.255.0
    access-list vpn_splitTunnelAcl permit ip 192.168..0 255.255.255.0
    172.16.40.0 255.255.255.0
    access-list 110 permit ip 192.168..0 255.255.255.0 192.168.[A].0
    255.255.255.0

    icmp permit any outside
    icmp permit any inside

    ip address outside dhcp setroute retry 4
    ip address inside 192.168..1 255.255.255.0

    ip local pool vpnrange 172.16.40.10-172.16.40.50

    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 554 192.168..8 554 dns netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface 554 192.168..8 554 dns netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 80 192.168..8 80 dns netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside

    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 110

    Thank you in advance for your time and expertise.
     
    softking, Mar 6, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,183
  2. Trouble
    Replies:
    0
    Views:
    781
    Trouble
    Aug 4, 2006
  3. Trouble
    Replies:
    1
    Views:
    592
  4. Replies:
    3
    Views:
    935
    Walter Roberson
    Dec 14, 2006
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    1,068
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page