How to block external IP address on PIX 515e

Discussion in 'Cisco' started by BillF, Oct 10, 2004.

  1. BillF

    BillF Guest

    Greetings,

    Last 2 weeks I noted one Nevada USA based company has been hammering us with
    TONS of spam each day. The IP is identifiable.

    Is there a comand that will block this IP range from entering into my LAN
    from the external (Internet facing) interface? I have a range, I also have
    the CIDR shorthand, and of course I have the subnet mask.

    Thanks very much.

    Bill
     
    BillF, Oct 10, 2004
    #1
    1. Advertising

  2. In article <>,
    BillF <> wrote:
    :Last 2 weeks I noted one Nevada USA based company has been hammering us with
    :TONS of spam each day. The IP is identifiable.

    :Is there a comand that will block this IP range from entering into my LAN
    :from the external (Internet facing) interface?

    Sure. My apologies if I over-explain, but this is fairly basic
    PIX configuration

    Log on to the PIX, and 'enable', and 'config terminal'.
    Now 'show access-group' and look for the name shown as being applied
    against the 'outside' interface. For example,

    npix(config)# show access-group
    access-group acl-outside in interface outside
    access-group acl-inside in interface inside

    If there is no access-group associated with interface 'outside' then
    that would be a little unusual, but by no means unheard-of: you
    normally do have an access-group command for 'outside' even if you do
    not have servers, as ICMP based ping will not be able to get responses
    back to you if you do not have an 'outside' access-group.

    If you do find the access-group, then the word after 'access-group' is
    the name of an access-list. You can show the content of the access-list:

    npix(config)# show access-list acl-outside
    access-list acl-outside; 463 elements
    access-list acl-outside line 1 permit icmp any interface outside echo-reply (hitcnt=0)
    access-list acl-outside line 2 permit icmp any any unreachable (hitcnt=7612)
    access-list acl-outside line 3 permit icmp any any time-exceeded (hitcnt=0)
    [...]

    Notice the 'line 1' and so on. If those line numbers show up for you, then
    adding in the block you want is easy: just type in something like

    npix(config)# access-list acl-outside line 1 deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp

    for example,

    npix(config)# access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any eq smtp

    This will insert the block at the top of the access-list, *before* the
    existing line 1 [*not* overwritting the existing line 1]. You can check
    your work:

    npix(config)# show access-list acl-outside
    npix(config)# show access-list acl-outside
    access-list acl-outside; 464 elements
    access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any eq smtp (hitcnt=0)
    access-list acl-outside line 2 permit icmp any interface outside echo-reply (hitcnt=0)
    access-list acl-outside line 3 permit icmp any any unreachable (hitcnt=7622)
    access-list acl-outside line 4 permit icmp any any time-exceeded (hitcnt=0)
    [....]

    At that point you can save the configuration by the 'write memory' command,
    and then log out of the pix.


    If the line numbers do not show up for you in the access-list, then
    you are running an older software version, potentially as old as 5.2(1)
    for that hardware, and you will need to do a bit more work.
    There is more than one way you can proceed; I will describe only
    one of them for simplicity.

    Open a 'Notepad' or other editor session on your computer, and
    then on the pix, command 'show running'. This will start out with
    a lot of lines that you are not interested in. Keep scrolling down
    until you find the lines that configure the access-list:

    npix(config)# show running
    : Saved
    :
    PIX Version ??.??(??)
    [...]
    access-list acl-outside permit icmp any interface outside echo-reply
    access-list acl-outside permit icmp any any unreachable
    access-list acl-outside permit icmp any any time-exceeded
    [...]

    Notice that in this display, there are no line numbers and no hit counts
    given at the end of the line.

    Now, copy all of these lines from the PIX session and paste them
    into your editor session. Make sure you do not paste any of the
    <--- More ---> prompts into your editor session, and watch out
    that you only copy and paste to the end of the access-list you are
    working with, as there will be no nice gap or marker to show the
    end of the access-list and the start of the new one.

    When you have copied all the lines into your edit session, go to the
    top of the edit buffer, and add in the block line,

    access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp

    e.g.,

    access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp

    This is the same as the line I gave above for the case where line
    numbers showed up, except with no 'line 1'. The 'line 1' is not really
    part of the access-list entry anyhow, just a convenient way to edit
    access-lists if you did have new enough software.

    After you have put the appropriate line into your edit session, go
    back to the pix and remove the previous access-list. This will
    temporarily prevent new connections from the outside to any servers you
    may have. [If it is very important that servers must be kept reachable,
    then you should be getting someone with more PIX experience than you
    to do this spam blocking.] The way to remove an access-list is to
    configure 'no' access-list for it. For example,

    npix(config): no access-list acl-outside

    Having removed the old version of the access-list, now copy and
    paste from the edit session to the pix configuration command. If you
    have a very long access-list, you may have to do that in sections.
    Doing it part by part is fine, as long as the entire access-list gets
    transferred.

    You can then check your work by using the 'show access-list' command
    as described above. When you are satisfied that the access-list is the
    way you want it, you will need another step before you can save the
    configuration. You must 'access-group' the access-list 'in interface outside'
    For example,

    npix(config): access-group acl-outside in interface outside

    You need to do this because when you removed the access-list with the 'no'
    command, the PIX automatically removed the corresponding 'access-group'
    command as well.

    You can then save the configuration ('write memory') and log off the
    pix.


    If it happened that you had no access-group applied against the
    outside interface, then you can just create an access-list and
    apply it.

    npix(config): access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp
    npix(config): access-group acl-outside in interface outside

    e.g.,

    npix(config): access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp
    npix(config): access-group acl-outside in interface outside

    Then save the configuration ('write memory') and you can then log off the
    pix.



    There are other ways of achieving the same end, but the version above
    is the easiest to explain, and you might at some point find yourself in
    situations where you need to fall back to this kind of ACL editting
    anyhow.
    --
    Entropy is the logarithm of probability -- Boltzmann
     
    Walter Roberson, Oct 11, 2004
    #2
    1. Advertising

  3. BillF

    BillF Guest

    Walter.............

    Thanks VERY much for the detailed explanation! I value your time, and
    experience.

    Seems there are 2 IPs that are sending us most of our incoming spam, by a
    very high percentage.

    Respctfully, Bill



    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:ckejpd$s5j$...
    > In article <>,
    > BillF <> wrote:
    > :Last 2 weeks I noted one Nevada USA based company has been hammering us
    > with
    > :TONS of spam each day. The IP is identifiable.
    >
    > :Is there a comand that will block this IP range from entering into my LAN
    > :from the external (Internet facing) interface?
    >
    > Sure. My apologies if I over-explain, but this is fairly basic
    > PIX configuration
    >
    > Log on to the PIX, and 'enable', and 'config terminal'.
    > Now 'show access-group' and look for the name shown as being applied
    > against the 'outside' interface. For example,
    >
    > npix(config)# show access-group
    > access-group acl-outside in interface outside
    > access-group acl-inside in interface inside
    >
    > If there is no access-group associated with interface 'outside' then
    > that would be a little unusual, but by no means unheard-of: you
    > normally do have an access-group command for 'outside' even if you do
    > not have servers, as ICMP based ping will not be able to get responses
    > back to you if you do not have an 'outside' access-group.
    >
    > If you do find the access-group, then the word after 'access-group' is
    > the name of an access-list. You can show the content of the access-list:
    >
    > npix(config)# show access-list acl-outside
    > access-list acl-outside; 463 elements
    > access-list acl-outside line 1 permit icmp any interface outside
    > echo-reply (hitcnt=0)
    > access-list acl-outside line 2 permit icmp any any unreachable
    > (hitcnt=7612)
    > access-list acl-outside line 3 permit icmp any any time-exceeded
    > (hitcnt=0)
    > [...]
    >
    > Notice the 'line 1' and so on. If those line numbers show up for you, then
    > adding in the block you want is easy: just type in something like
    >
    > npix(config)# access-list acl-outside line 1 deny tcp SPAMMERSIP
    > SPAMMERSNETMASK any eq smtp
    >
    > for example,
    >
    > npix(config)# access-list acl-outside line 1 deny tcp 11.22.44.128
    > 255.255.255.128 any eq smtp
    >
    > This will insert the block at the top of the access-list, *before* the
    > existing line 1 [*not* overwritting the existing line 1]. You can check
    > your work:
    >
    > npix(config)# show access-list acl-outside
    > npix(config)# show access-list acl-outside
    > access-list acl-outside; 464 elements
    > access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any
    > eq smtp (hitcnt=0)
    > access-list acl-outside line 2 permit icmp any interface outside
    > echo-reply (hitcnt=0)
    > access-list acl-outside line 3 permit icmp any any unreachable
    > (hitcnt=7622)
    > access-list acl-outside line 4 permit icmp any any time-exceeded
    > (hitcnt=0)
    > [....]
    >
    > At that point you can save the configuration by the 'write memory'
    > command,
    > and then log out of the pix.
    >
    >
    > If the line numbers do not show up for you in the access-list, then
    > you are running an older software version, potentially as old as 5.2(1)
    > for that hardware, and you will need to do a bit more work.
    > There is more than one way you can proceed; I will describe only
    > one of them for simplicity.
    >
    > Open a 'Notepad' or other editor session on your computer, and
    > then on the pix, command 'show running'. This will start out with
    > a lot of lines that you are not interested in. Keep scrolling down
    > until you find the lines that configure the access-list:
    >
    > npix(config)# show running
    > : Saved
    > :
    > PIX Version ??.??(??)
    > [...]
    > access-list acl-outside permit icmp any interface outside echo-reply
    > access-list acl-outside permit icmp any any unreachable
    > access-list acl-outside permit icmp any any time-exceeded
    > [...]
    >
    > Notice that in this display, there are no line numbers and no hit counts
    > given at the end of the line.
    >
    > Now, copy all of these lines from the PIX session and paste them
    > into your editor session. Make sure you do not paste any of the
    > <--- More ---> prompts into your editor session, and watch out
    > that you only copy and paste to the end of the access-list you are
    > working with, as there will be no nice gap or marker to show the
    > end of the access-list and the start of the new one.
    >
    > When you have copied all the lines into your edit session, go to the
    > top of the edit buffer, and add in the block line,
    >
    > access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp
    >
    > e.g.,
    >
    > access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp
    >
    > This is the same as the line I gave above for the case where line
    > numbers showed up, except with no 'line 1'. The 'line 1' is not really
    > part of the access-list entry anyhow, just a convenient way to edit
    > access-lists if you did have new enough software.
    >
    > After you have put the appropriate line into your edit session, go
    > back to the pix and remove the previous access-list. This will
    > temporarily prevent new connections from the outside to any servers you
    > may have. [If it is very important that servers must be kept reachable,
    > then you should be getting someone with more PIX experience than you
    > to do this spam blocking.] The way to remove an access-list is to
    > configure 'no' access-list for it. For example,
    >
    > npix(config): no access-list acl-outside
    >
    > Having removed the old version of the access-list, now copy and
    > paste from the edit session to the pix configuration command. If you
    > have a very long access-list, you may have to do that in sections.
    > Doing it part by part is fine, as long as the entire access-list gets
    > transferred.
    >
    > You can then check your work by using the 'show access-list' command
    > as described above. When you are satisfied that the access-list is the
    > way you want it, you will need another step before you can save the
    > configuration. You must 'access-group' the access-list 'in interface
    > outside'
    > For example,
    >
    > npix(config): access-group acl-outside in interface outside
    >
    > You need to do this because when you removed the access-list with the 'no'
    > command, the PIX automatically removed the corresponding 'access-group'
    > command as well.
    >
    > You can then save the configuration ('write memory') and log off the
    > pix.
    >
    >
    > If it happened that you had no access-group applied against the
    > outside interface, then you can just create an access-list and
    > apply it.
    >
    > npix(config): access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK
    > any eq smtp
    > npix(config): access-group acl-outside in interface outside
    >
    > e.g.,
    >
    > npix(config): access-list acl-outside deny tcp 11.22.44.128
    > 255.255.255.128 any eq smtp
    > npix(config): access-group acl-outside in interface outside
    >
    > Then save the configuration ('write memory') and you can then log off the
    > pix.
    >
    >
    >
    > There are other ways of achieving the same end, but the version above
    > is the easiest to explain, and you might at some point find yourself in
    > situations where you need to fall back to this kind of ACL editting
    > anyhow.
    > --
    > Entropy is the logarithm of probability -- Boltzmann
     
    BillF, Oct 11, 2004
    #3
  4. BillF

    BillF Guest

    Walter..........

    I forgot to say, your directions were perfect. I found the acl "out" easy.
    I unfortunately do not have line numbers. Version is PIX 6.3(1).

    Can I insert line numbers for the future on the acl out list?

    Thanks, Bill

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:ckejpd$s5j$...
    > In article <>,
    > BillF <> wrote:
    > :Last 2 weeks I noted one Nevada USA based company has been hammering us
    > with
    > :TONS of spam each day. The IP is identifiable.
    >
    > :Is there a comand that will block this IP range from entering into my LAN
    > :from the external (Internet facing) interface?
    >
    > Sure. My apologies if I over-explain, but this is fairly basic
    > PIX configuration
    >
    > Log on to the PIX, and 'enable', and 'config terminal'.
    > Now 'show access-group' and look for the name shown as being applied
    > against the 'outside' interface. For example,
    >
    > npix(config)# show access-group
    > access-group acl-outside in interface outside
    > access-group acl-inside in interface inside
    >
    > If there is no access-group associated with interface 'outside' then
    > that would be a little unusual, but by no means unheard-of: you
    > normally do have an access-group command for 'outside' even if you do
    > not have servers, as ICMP based ping will not be able to get responses
    > back to you if you do not have an 'outside' access-group.
    >
    > If you do find the access-group, then the word after 'access-group' is
    > the name of an access-list. You can show the content of the access-list:
    >
    > npix(config)# show access-list acl-outside
    > access-list acl-outside; 463 elements
    > access-list acl-outside line 1 permit icmp any interface outside
    > echo-reply (hitcnt=0)
    > access-list acl-outside line 2 permit icmp any any unreachable
    > (hitcnt=7612)
    > access-list acl-outside line 3 permit icmp any any time-exceeded
    > (hitcnt=0)
    > [...]
    >
    > Notice the 'line 1' and so on. If those line numbers show up for you, then
    > adding in the block you want is easy: just type in something like
    >
    > npix(config)# access-list acl-outside line 1 deny tcp SPAMMERSIP
    > SPAMMERSNETMASK any eq smtp
    >
    > for example,
    >
    > npix(config)# access-list acl-outside line 1 deny tcp 11.22.44.128
    > 255.255.255.128 any eq smtp
    >
    > This will insert the block at the top of the access-list, *before* the
    > existing line 1 [*not* overwritting the existing line 1]. You can check
    > your work:
    >
    > npix(config)# show access-list acl-outside
    > npix(config)# show access-list acl-outside
    > access-list acl-outside; 464 elements
    > access-list acl-outside line 1 deny tcp 11.22.44.128 255.255.255.128 any
    > eq smtp (hitcnt=0)
    > access-list acl-outside line 2 permit icmp any interface outside
    > echo-reply (hitcnt=0)
    > access-list acl-outside line 3 permit icmp any any unreachable
    > (hitcnt=7622)
    > access-list acl-outside line 4 permit icmp any any time-exceeded
    > (hitcnt=0)
    > [....]
    >
    > At that point you can save the configuration by the 'write memory'
    > command,
    > and then log out of the pix.
    >
    >
    > If the line numbers do not show up for you in the access-list, then
    > you are running an older software version, potentially as old as 5.2(1)
    > for that hardware, and you will need to do a bit more work.
    > There is more than one way you can proceed; I will describe only
    > one of them for simplicity.
    >
    > Open a 'Notepad' or other editor session on your computer, and
    > then on the pix, command 'show running'. This will start out with
    > a lot of lines that you are not interested in. Keep scrolling down
    > until you find the lines that configure the access-list:
    >
    > npix(config)# show running
    > : Saved
    > :
    > PIX Version ??.??(??)
    > [...]
    > access-list acl-outside permit icmp any interface outside echo-reply
    > access-list acl-outside permit icmp any any unreachable
    > access-list acl-outside permit icmp any any time-exceeded
    > [...]
    >
    > Notice that in this display, there are no line numbers and no hit counts
    > given at the end of the line.
    >
    > Now, copy all of these lines from the PIX session and paste them
    > into your editor session. Make sure you do not paste any of the
    > <--- More ---> prompts into your editor session, and watch out
    > that you only copy and paste to the end of the access-list you are
    > working with, as there will be no nice gap or marker to show the
    > end of the access-list and the start of the new one.
    >
    > When you have copied all the lines into your edit session, go to the
    > top of the edit buffer, and add in the block line,
    >
    > access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK any eq smtp
    >
    > e.g.,
    >
    > access-list acl-outside deny tcp 11.22.44.128 255.255.255.128 any eq smtp
    >
    > This is the same as the line I gave above for the case where line
    > numbers showed up, except with no 'line 1'. The 'line 1' is not really
    > part of the access-list entry anyhow, just a convenient way to edit
    > access-lists if you did have new enough software.
    >
    > After you have put the appropriate line into your edit session, go
    > back to the pix and remove the previous access-list. This will
    > temporarily prevent new connections from the outside to any servers you
    > may have. [If it is very important that servers must be kept reachable,
    > then you should be getting someone with more PIX experience than you
    > to do this spam blocking.] The way to remove an access-list is to
    > configure 'no' access-list for it. For example,
    >
    > npix(config): no access-list acl-outside
    >
    > Having removed the old version of the access-list, now copy and
    > paste from the edit session to the pix configuration command. If you
    > have a very long access-list, you may have to do that in sections.
    > Doing it part by part is fine, as long as the entire access-list gets
    > transferred.
    >
    > You can then check your work by using the 'show access-list' command
    > as described above. When you are satisfied that the access-list is the
    > way you want it, you will need another step before you can save the
    > configuration. You must 'access-group' the access-list 'in interface
    > outside'
    > For example,
    >
    > npix(config): access-group acl-outside in interface outside
    >
    > You need to do this because when you removed the access-list with the 'no'
    > command, the PIX automatically removed the corresponding 'access-group'
    > command as well.
    >
    > You can then save the configuration ('write memory') and log off the
    > pix.
    >
    >
    > If it happened that you had no access-group applied against the
    > outside interface, then you can just create an access-list and
    > apply it.
    >
    > npix(config): access-list acl-outside deny tcp SPAMMERSIP SPAMMERSNETMASK
    > any eq smtp
    > npix(config): access-group acl-outside in interface outside
    >
    > e.g.,
    >
    > npix(config): access-list acl-outside deny tcp 11.22.44.128
    > 255.255.255.128 any eq smtp
    > npix(config): access-group acl-outside in interface outside
    >
    > Then save the configuration ('write memory') and you can then log off the
    > pix.
    >
    >
    >
    > There are other ways of achieving the same end, but the version above
    > is the easiest to explain, and you might at some point find yourself in
    > situations where you need to fall back to this kind of ACL editting
    > anyhow.
    > --
    > Entropy is the logarithm of probability -- Boltzmann
     
    BillF, Oct 11, 2004
    #4
  5. In article <>,
    BillF <> wrote:
    :I forgot to say, your directions were perfect. I found the acl "out" easy.
    :I unfortunately do not have line numbers. Version is PIX 6.3(1).

    :Can I insert line numbers for the future on the acl out list?

    The line numbers and easy ACL editting are from slightly newer
    software, so you would have to upgrade your software. If you do not
    have a maintenance contract, you would normally either have to get such
    a contract or else buy a single release.

    In your situation, you have another option. the software version you are
    running, 6.3(1), has known security problems, so Cisco offers
    free upgrades for it. There were -two- sets of security problems
    found after 6.3(1) was released, so it happens that you can
    get free upgrades from 6.3(1) all the way to the newest release, 6.3(4).
    To do that, read the following link carefully:

    http://www.cisco.com/en/US/products/products_security_advisory09186a0080207d5f.shtml#fixes

    As a quick summary, it says that if you got your machine from a VAR, then
    contact the VAR and cite the document above, and the VAR should give you
    the new version. If your VAR refuses or if you got the device directly
    from Cisco or through a reseller who does not act as a VAR, then
    you can contact the Cisco TAC and cite that document and they will make
    the software available. [Some people have had trouble getting Cisco to
    live up to this, but if you give the exact URL then you should be able
    to push through.]

    --
    Inevitably, someone will flame me about this .signature.
     
    Walter Roberson, Oct 11, 2004
    #5
  6. BillF

    BillF Guest

    Walter................

    You are incredible - were you born with a PIX, instead of the usual toys??
    :)

    Thanks VERY, very much.

    Bill



    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:ckeu8b$cd9$...
    > In article <>,
    > BillF <> wrote:
    > :I forgot to say, your directions were perfect. I found the acl "out"
    > easy.
    > :I unfortunately do not have line numbers. Version is PIX 6.3(1).
    >
    > :Can I insert line numbers for the future on the acl out list?
    >
    > The line numbers and easy ACL editting are from slightly newer
    > software, so you would have to upgrade your software. If you do not
    > have a maintenance contract, you would normally either have to get such
    > a contract or else buy a single release.
    >
    > In your situation, you have another option. the software version you are
    > running, 6.3(1), has known security problems, so Cisco offers
    > free upgrades for it. There were -two- sets of security problems
    > found after 6.3(1) was released, so it happens that you can
    > get free upgrades from 6.3(1) all the way to the newest release, 6.3(4).
    > To do that, read the following link carefully:
    >
    > http://www.cisco.com/en/US/products/products_security_advisory09186a0080207d5f.shtml#fixes
    >
    > As a quick summary, it says that if you got your machine from a VAR, then
    > contact the VAR and cite the document above, and the VAR should give you
    > the new version. If your VAR refuses or if you got the device directly
    > from Cisco or through a reseller who does not act as a VAR, then
    > you can contact the Cisco TAC and cite that document and they will make
    > the software available. [Some people have had trouble getting Cisco to
    > live up to this, but if you give the exact URL then you should be able
    > to push through.]
    >
    > --
    > Inevitably, someone will flame me about this .signature.
     
    BillF, Oct 12, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Harriet
    Replies:
    1
    Views:
    2,709
    Rik Bain
    May 28, 2004
  2. AA
    Replies:
    5
    Views:
    672
  3. tofe
    Replies:
    5
    Views:
    2,886
  4. syropes
    Replies:
    1
    Views:
    892
    bbiandov
    Dec 8, 2007
  5. iinken

    How do I block an IP address range on PIX?

    iinken, Aug 23, 2008, in forum: General Computer Support
    Replies:
    0
    Views:
    1,132
    iinken
    Aug 23, 2008
Loading...

Share This Page