I need Cisco Pix 506E code for the following items

Discussion in 'Cisco' started by Marskarthik, Jul 6, 2007.

  1. Marskarthik

    Marskarthik Guest

    I need Cisco Pix 506E code for the following items

    1.Code for blocking a ip address so that no internal users can connect
    to that IP address.

    2.Code for blocking series of ip address so that no internal users can
    connect to that IP address group. For example i want to block
    202.54.23.12 to 202.54.23.75

    3. Code for blocking a specific port on a specific ip address so that
    no internal users can connect to that IP address on the specified
    port.

    Thanks,
    Marskarthik
    Home: www.marskarthik.com
     
    Marskarthik, Jul 6, 2007
    #1
    1. Advertising

  2. Marskarthik

    Scott Perry Guest

    Any Cisco PIX image (version of code) will do that. The technology/concept
    is called "access-lists" which permit or deny network traffic based on, in
    this example, source and destination IP addresses or destination TCP/UDP
    port.
    Cisco PIX image files are subject to the usual software licensing and are
    currently not free.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    "Marskarthik" <> wrote in message
    news:...
    >I need Cisco Pix 506E code for the following items
    >
    > 1.Code for blocking a ip address so that no internal users can connect
    > to that IP address.
    >
    > 2.Code for blocking series of ip address so that no internal users can
    > connect to that IP address group. For example i want to block
    > 202.54.23.12 to 202.54.23.75
    >
    > 3. Code for blocking a specific port on a specific ip address so that
    > no internal users can connect to that IP address on the specified
    > port.
    >
    > Thanks,
    > Marskarthik
    > Home: www.marskarthik.com
    >
     
    Scott Perry, Jul 6, 2007
    #2
    1. Advertising

  3. In article <>,
    Marskarthik <> wrote:
    >I need Cisco Pix 506E code for the following items


    >1.Code for blocking a ip address so that no internal users can connect
    >to that IP address.


    access-list in2out deny ip any host XX.XX.XX.XX
    access-list in2out permit ip any any
    access-group in2out in interface inside

    >2.Code for blocking series of ip address so that no internal users can
    >connect to that IP address group. For example i want to block
    >202.54.23.12 to 202.54.23.75


    A)
    access-list in2out deny ip any 202.54.23.12 255.255.255.252
    access-list in2out deny ip any 202.54.23.16 255.255.255.240
    access-list in2out deny ip any 202.54.23.32 255.255.255.224
    access-list in2out deny ip any 202.54.23.64 255.255.255.248
    access-list in2out deny ip any 202.54.23.72 255.255.255.252
    access-list in2out permit ip any any
    access-group in2out in interface inside

    OR
    B)

    object-group network BannedRange1
    network-object 202.54.23.12 255.255.255.252
    network-object 202.54.23.16 255.255.255.240
    network-object 202.54.23.32 255.255.255.224
    network-object 202.54.23.64 255.255.255.248
    network-object 202.54.23.72 255.255.255.252
    access-list in2out deny ip any object-group BannedRange1
    access-list in2out permit ip any any
    access-group in2out in interface inside

    OR
    C)
    access-list in2out deny ip any host 202.54.23.12
    access-list in2out deny ip any host 202.54.23.13
    access-list in2out deny ip any host 202.54.23.14
    [...]
    access-list in2out deny ip any host 202.54.23.75
    access-list in2out permit ip any any
    access-group in2out in interface inside

    To forstall a question: NO, there is no way to just give a
    range of IP addresses such as 202.54.23.12-202.54.23.75
    You get 'host' (for one specific host) and you get
    base addresses and network masks; no IP range operator.


    >3. Code for blocking a specific port on a specific ip address so that
    >no internal users can connect to that IP address on the specified
    >port.


    access-list in2out deny tcp any host XX.XX.XX.XX eq 80
    access-list in2out permit ip any any
    access-group in2out in interface inside


    Notes:

    - you should only have one "permit ip any any" (at most)
    and it should always be the very last thing in your access-list.

    - you can only apply one access-list to any interface in PIX 6,
    so if you want to do several of these things together, put them
    all in the same access-list, then have the permit ip any any
    and then access-group that into control of the interface

    - nothing in any of the above will prevent your users from using one
    of the thousands of proxy servers to access those hosts if they
    really want to.

    - No, there is no simple way to block access to proxy servers.
    Security Best Practice is to only permit access to things that are
    definitely needed, instead of trying to selectively ban access to
    things that are forbidden.
     
    Walter Roberson, Jul 7, 2007
    #3
  4. Marskarthik

    Marskarthik Guest

    Thanks Walter. You have explained very clearly.

    Thanks,
    Marskarthik
    Home: www.marskarthik.com


    On Jul 7, 6:29 am, (Walter Roberson) wrote:
    > In article <>,
    >
    > Marskarthik <> wrote:
    > >I need Cisco Pix 506E code for the following items
    > >1.Code for blocking a ip address so that no internal users can connect
    > >to that IP address.

    >
    > access-list in2out deny ip any host XX.XX.XX.XX
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > >2.Code for blocking series of ip address so that no internal users can
    > >connect to that IP address group. For example i want to block
    > >202.54.23.12 to 202.54.23.75

    >
    > A)
    > access-list in2out deny ip any 202.54.23.12 255.255.255.252
    > access-list in2out deny ip any 202.54.23.16 255.255.255.240
    > access-list in2out deny ip any 202.54.23.32 255.255.255.224
    > access-list in2out deny ip any 202.54.23.64 255.255.255.248
    > access-list in2out deny ip any 202.54.23.72 255.255.255.252
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > OR
    > B)
    >
    > object-group network BannedRange1
    > network-object 202.54.23.12 255.255.255.252
    > network-object 202.54.23.16 255.255.255.240
    > network-object 202.54.23.32 255.255.255.224
    > network-object 202.54.23.64 255.255.255.248
    > network-object 202.54.23.72 255.255.255.252
    > access-list in2out deny ip any object-group BannedRange1
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > OR
    > C)
    > access-list in2out deny ip any host 202.54.23.12
    > access-list in2out deny ip any host 202.54.23.13
    > access-list in2out deny ip any host 202.54.23.14
    > [...]
    > access-list in2out deny ip any host 202.54.23.75
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > To forstall a question: NO, there is no way to just give a
    > range of IP addresses such as 202.54.23.12-202.54.23.75
    > You get 'host' (for one specific host) and you get
    > base addresses and network masks; no IP range operator.
    >
    > >3. Code for blocking a specific port on a specific ip address so that
    > >no internal users can connect to that IP address on the specified
    > >port.

    >
    > access-list in2out deny tcp any host XX.XX.XX.XX eq 80
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > Notes:
    >
    > - you should only have one "permit ip any any" (at most)
    > and it should always be the very last thing in your access-list.
    >
    > - you can only apply one access-list to any interface in PIX 6,
    > so if you want to do several of these things together, put them
    > all in the same access-list, then have the permit ip any any
    > and then access-group that into control of the interface
    >
    > - nothing in any of the above will prevent your users from using one
    > of the thousands of proxy servers to access those hosts if they
    > really want to.
    >
    > - No, there is no simple way to block access to proxy servers.
    > Security Best Practice is to only permit access to things that are
    > definitely needed, instead of trying to selectively ban access to
    > things that are forbidden.
     
    Marskarthik, Jul 9, 2007
    #4
  5. Marskarthik

    Scott Perry Guest

    >> >2.Code for blocking series of ip address so that no internal users can
    >> >connect to that IP address group. For example i want to block
    >> >202.54.23.12 to 202.54.23.75


    Several access-list entries which cover the ranges in between will work.
    Here is an example where an outbound traffic access list blocks data traffic
    going to what you mentioned, 202.54.23.12 to 202.54.23.75.

    access-list 101 deny ip any 202.54.23.12 0.0.0.3
    access-list 101 deny ip any 202.54.23.16 0.0.0.15
    access-list 101 deny ip any 202.54.23.32 0.0.0.31
    access-list 101 deny ip any 202.54.23.64 0.0.0.7
    access-list 101 deny ip any 202.54.23.72 0.0.0.3
    access-list 101 permit ip any any

    That access list will do the following (in matching order):
    block any network traffic going to 202.54.23.12 through 202.54.23.15
    block any network traffic going to 202.54.23.16 through 202.54.23.31
    block any network traffic going to 202.54.23.32 through 202.54.23.63
    block any network traffic going to 202.54.23.64 through 202.54.23.71
    block any network traffic going to 202.54.23.72 through 202.54.23.75
    permit any other network traffic
    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
     
    Scott Perry, Jul 9, 2007
    #5
  6. In article <469268e6$0$21259$>,
    Scott Perry <scottperry@aciscocompany> wrote:
    >>> >2.Code for blocking series of ip address so that no internal users can
    >>> >connect to that IP address group. For example i want to block
    >>> >202.54.23.12 to 202.54.23.75

    >
    >Several access-list entries which cover the ranges in between will work.
    >Here is an example where an outbound traffic access list blocks data traffic
    >going to what you mentioned, 202.54.23.12 to 202.54.23.75.


    >access-list 101 deny ip any 202.54.23.12 0.0.0.3
    >access-list 101 deny ip any 202.54.23.16 0.0.0.15
    >access-list 101 deny ip any 202.54.23.32 0.0.0.31
    >access-list 101 deny ip any 202.54.23.64 0.0.0.7
    >access-list 101 deny ip any 202.54.23.72 0.0.0.3
    >access-list 101 permit ip any any


    Unfortunately, that won't work. The PIX uses bit masks rather than
    wildcard bits. I gave the correct entries up-thread, in the
    message that was the parent of the one you were replying to.

    access-list in2out deny ip any 202.54.23.12 255.255.255.252
    access-list in2out deny ip any 202.54.23.16 255.255.255.240
    access-list in2out deny ip any 202.54.23.32 255.255.255.224
    access-list in2out deny ip any 202.54.23.64 255.255.255.248
    access-list in2out deny ip any 202.54.23.72 255.255.255.252
    access-list in2out permit ip any any


    Futher note: in IOS, the sort of access-list you showed would
    have to be numbered, from 101 to 199 (or 2000 to 2699 but I never
    remember that range!). In PIX, the access-lists are named, and the
    names have no inherently significance. Numbers are considered valid names
    for this purpose, so access-list 101 is still fine, and access-list 1
    would have been just as good too.

    PIX access-list syntax changed again with PIX 7.
     
    Walter Roberson, Jul 10, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ben Lord

    Items in Outbox not moving to Sent Items

    Ben Lord, Oct 23, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    1,047
    Ben Lord
    Oct 23, 2003
  2. Giuen
    Replies:
    0
    Views:
    1,231
    Giuen
    Sep 12, 2008
  3. Moke Gibboni

    Taskbar - Past Items back into Current Items

    Moke Gibboni, Oct 28, 2008, in forum: Computer Support
    Replies:
    5
    Views:
    1,608
    Moke Gibboni
    Oct 29, 2008
  4. Network/Software Buyer
    Replies:
    0
    Views:
    711
    Network/Software Buyer
    Dec 24, 2010
  5. Geopelia

    Deleting items to deleted items folder.

    Geopelia, Nov 1, 2012, in forum: NZ Computing
    Replies:
    16
    Views:
    564
    Geopelia
    Nov 13, 2012
Loading...

Share This Page