trying to block a range of IP's from using the web

Discussion in 'Cisco' started by Barrett Bonden, Jan 26, 2006.

  1. need syntax to block a range of IP address using the web in any way ( they
    just need to reach an internal server) , so I want to stop them from
    getting out or anything from the web reaching them. These machines are in
    the range of 192.168.0.10 to 0.254



    I have(but it's been months since I did PIX/cicso , and boy am I rusty) an
    access list now with commands like



    access-list outside_access_in permit icmp any any echo

    access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
    10

    access-list outside_access_in permit icmp any any echo-reply

    access-group outside_access_in in interface outside



    Can I just add to it to block anything coming in to a subnet ? I suppose I
    can do this:

    access-list outside_access_in deny ip deny any 1982.168.0.0 0.0.0.255 (can
    I ?)

    But of course that would block the owner , on 0.4 - so is there syntax for
    a range of IP's ? ?



    Or should I create a new access group for anything leaving the inside
    interface ?

    Something like

    access-group inside_access_out in interface inside

    access-list inside_access_out deny any 192.168.0.2 255.255.255.0

    (the inside interface : ip address inside 192.168.0.2 255.255.255.0)



    But again, this would stop any machine on the inside from getting to the
    inside interface on the PIX ( at least I think that's what I'm saying.)

    Any help offered on syntax or concepts much appreciated .
    Barrett Bonden, Jan 26, 2006
    #1
    1. Advertising

  2. In article <D1dCf.44$>,
    Barrett Bonden <> wrote:
    >need syntax to block a range of IP address using the web in any way ( they
    >just need to reach an internal server) , so I want to stop them from
    >getting out or anything from the web reaching them. These machines are in
    >the range of 192.168.0.10 to 0.254


    >access-list outside_access_in permit icmp any any echo
    >access-list outside_access_in permit tcp any host 192.168.0.42 range 10000 10


    Must have dropped a few characters there, since the upper end of a port
    range must be greater than the lower end.

    >access-list outside_access_in permit icmp any any echo-reply
    >access-group outside_access_in in interface outside


    >Can I just add to it to block anything coming in to a subnet ? I suppose I
    >can do this:


    >access-list outside_access_in deny ip deny any 1982.168.0.0 0.0.0.255


    Remember the PIX uses netmask format, so that would have to be
    192.168.0.0 255.255.255.0


    >But of course that would block the owner , on 0.4 - so is there syntax for
    >a range of IP's ? ?


    There is no syntax for a range of IPs. You can create an object-group
    that nominates them all, as in

    object-group network InternalOnly
    network-object 192.168.0.10 255.255.255.254
    network-object 192.168.0.12 255.255.255.252
    network-object 192.168.0.16 255.255.255.240
    network-object 192.168.0.32 255.255.255.224
    network-object 192.168.0.64 255.255.255.192
    network-object 192.168.0.128 255.255.255.192
    network-object 192.168.0.192 255.255.255.224
    network-object 192.168.0.224 255.255.255.240
    network-object 192.168.0.240 255.255.255.248
    network-object 192.168.0.248 255.255.255.252
    network-object 192.168.0.252 255.255.255.254
    network-object host 192.168.0.254

    access-list outside_access_in deny ip any object-group InternalOnly

    It mystifies me, though, as to why you want to permit your broadcast
    IP, 192.168.0.255 to send packets to the outside. The object-group would
    be only half as long if you were to block all of
    192.168.0.128 255.255.255.128

    >Or should I create a new access group for anything leaving the inside
    >interface ?


    If you want to prevent outgoing traffic then you need to work with
    the inside interface ACL: the PIX will automatically permit back
    in responses to traffic initiated from inside that was permitted out.

    Another item to note is that when you are working with the outside
    interface ACL, that all destination IPs must be the *public*
    IPs for the hosts -- the destinations as they would appear in the
    packets that the external hosts are sending to. Unless you are
    working with a completely private network, those public IPs are
    not going to be 192.168.0.x .


    There is a completely different way to solve this problem that you
    might find easier to configure:

    Packets are only allowed out for internal hosts for which there is
    a defined IP address translation -- a static or nat. Therefor, if you
    want to deny hosts from going outside, you can do it by not defining
    any address translation for them. Instead of having,

    nat (inside) 1 0.0.0.0 0.0.0.0

    instead have

    nat (inside) 1 192.168.0.0 255.255.255.248
    nat (inside) 1 192.168.0.8 255.255.255.254

    Then you don't need any ACL: the PIX just won't allow the traffic
    because it won't know what public IP address to use for it.

    The main difference between this and the inside interface ACL case
    is in the log messages that will be produced for the two cases.
    Walter Roberson, Jan 27, 2006
    #2
    1. Advertising

  3. Walter:

    Many thanks, as always. The idea of specific NAT's , as in
    > nat (inside) 1 192.168.0.0 255.255.255.248
    > nat (inside) 1 192.168.0.8 255.255.255.254

    appeals to me. I've started to re-read my old Pix books, but still don't see
    why you have those "subnet like" masks (as in .254) for use with a specific
    inside IP. Walter, if I wanted to specify just a few inside IP's(the
    owner's, say, and one other) to get out, would I not do it like
    nat (inside) 1 192.168.0.8 255.255.255.255 ? for just one machine ?
    My books tell me this will be seen as one host .



    "Walter Roberson" <> wrote in message
    news:FWiCf.454318$ki.3569@pd7tw2no...
    > In article <D1dCf.44$>,
    > Barrett Bonden <> wrote:
    > >need syntax to block a range of IP address using the web in any way (

    they
    > >just need to reach an internal server) , so I want to stop them from
    > >getting out or anything from the web reaching them. These machines are

    in
    > >the range of 192.168.0.10 to 0.254

    >
    > >access-list outside_access_in permit icmp any any echo
    > >access-list outside_access_in permit tcp any host 192.168.0.42 range

    10000 10
    >
    > Must have dropped a few characters there, since the upper end of a port
    > range must be greater than the lower end.
    >
    > >access-list outside_access_in permit icmp any any echo-reply
    > >access-group outside_access_in in interface outside

    >
    > >Can I just add to it to block anything coming in to a subnet ? I suppose

    I
    > >can do this:

    >
    > >access-list outside_access_in deny ip deny any 1982.168.0.0 0.0.0.255

    >
    > Remember the PIX uses netmask format, so that would have to be
    > 192.168.0.0 255.255.255.0
    >
    >
    > >But of course that would block the owner , on 0.4 - so is there syntax

    for
    > >a range of IP's ? ?

    >
    > There is no syntax for a range of IPs. You can create an object-group
    > that nominates them all, as in
    >
    > object-group network InternalOnly
    > network-object 192.168.0.10 255.255.255.254
    > network-object 192.168.0.12 255.255.255.252
    > network-object 192.168.0.16 255.255.255.240
    > network-object 192.168.0.32 255.255.255.224
    > network-object 192.168.0.64 255.255.255.192
    > network-object 192.168.0.128 255.255.255.192
    > network-object 192.168.0.192 255.255.255.224
    > network-object 192.168.0.224 255.255.255.240
    > network-object 192.168.0.240 255.255.255.248
    > network-object 192.168.0.248 255.255.255.252
    > network-object 192.168.0.252 255.255.255.254
    > network-object host 192.168.0.254
    >
    > access-list outside_access_in deny ip any object-group InternalOnly
    >
    > It mystifies me, though, as to why you want to permit your broadcast
    > IP, 192.168.0.255 to send packets to the outside. The object-group would
    > be only half as long if you were to block all of
    > 192.168.0.128 255.255.255.128
    >
    > >Or should I create a new access group for anything leaving the inside
    > >interface ?

    >
    > If you want to prevent outgoing traffic then you need to work with
    > the inside interface ACL: the PIX will automatically permit back
    > in responses to traffic initiated from inside that was permitted out.
    >
    > Another item to note is that when you are working with the outside
    > interface ACL, that all destination IPs must be the *public*
    > IPs for the hosts -- the destinations as they would appear in the
    > packets that the external hosts are sending to. Unless you are
    > working with a completely private network, those public IPs are
    > not going to be 192.168.0.x .
    >
    >
    > There is a completely different way to solve this problem that you
    > might find easier to configure:
    >
    > Packets are only allowed out for internal hosts for which there is
    > a defined IP address translation -- a static or nat. Therefor, if you
    > want to deny hosts from going outside, you can do it by not defining
    > any address translation for them. Instead of having,
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0
    >
    > instead have
    >
    > nat (inside) 1 192.168.0.0 255.255.255.248
    > nat (inside) 1 192.168.0.8 255.255.255.254
    >
    > Then you don't need any ACL: the PIX just won't allow the traffic
    > because it won't know what public IP address to use for it.
    >
    > The main difference between this and the inside interface ACL case
    > is in the log messages that will be produced for the two cases.
    Barrett Bonden, Jan 28, 2006
    #3
  4. In article <DPSCf.549$>,
    Barrett Bonden <> wrote:
    >> nat (inside) 1 192.168.0.0 255.255.255.248
    >> nat (inside) 1 192.168.0.8 255.255.255.254


    >why you have those "subnet like" masks (as in .254) for use with a specific
    >inside IP.


    You wanted .10 to .254 to be blocked, which means you want to permit
    ..8 and .9 . You could do that via
    192.168.0.8 255.255.255.255
    192.168.0.9 255.255.255.255
    or you can do it via
    192.168.0.8 255.255.255.254
    because .8 falls on /31 boundary.

    >if I wanted to specify just a few inside IP's(the
    >owner's, say, and one other) to get out, would I not do it like
    > nat (inside) 1 192.168.0.8 255.255.255.255 ? for just one machine ?


    Yes.
    Walter Roberson, Jan 29, 2006
    #4
  5. If you ever come to Long Island, New York , let me buy you a beer.
    This was (is ) the only Cisco client I have; I never picked up more work
    from the PIX install, and so all the reading I did just drifted out of my
    head ...I read quite a bit on subnet math , but without use .......

    Many thanks -




    "Walter Roberson" <> wrote in message
    news:AQUCf.247311$tl.221758@pd7tw3no...
    > In article <DPSCf.549$>,
    > Barrett Bonden <> wrote:
    > >> nat (inside) 1 192.168.0.0 255.255.255.248
    > >> nat (inside) 1 192.168.0.8 255.255.255.254

    >
    > >why you have those "subnet like" masks (as in .254) for use with a

    specific
    > >inside IP.

    >
    > You wanted .10 to .254 to be blocked, which means you want to permit
    > .8 and .9 . You could do that via
    > 192.168.0.8 255.255.255.255
    > 192.168.0.9 255.255.255.255
    > or you can do it via
    > 192.168.0.8 255.255.255.254
    > because .8 falls on /31 boundary.
    >
    > >if I wanted to specify just a few inside IP's(the
    > >owner's, say, and one other) to get out, would I not do it like
    > > nat (inside) 1 192.168.0.8 255.255.255.255 ? for just one machine ?

    >
    > Yes.
    Barrett Bonden, Jan 29, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. NextLevel

    How to block certain web sites

    NextLevel, Feb 23, 2006, in forum: Cisco
    Replies:
    14
    Views:
    5,136
    NextLevel
    Feb 25, 2006
  2. Luke

    Block-Checker keeps trying to install

    Luke, Sep 11, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    502
  3. Robert Feinman

    Scene range vs dynamic range

    Robert Feinman, Jun 30, 2005, in forum: Digital Photography
    Replies:
    2
    Views:
    659
    Marvin
    Jul 4, 2005
  4. iinken

    How do I block an IP address range on PIX?

    iinken, Aug 23, 2008, in forum: General Computer Support
    Replies:
    0
    Views:
    1,109
    iinken
    Aug 23, 2008
  5. Dreamskape
    Replies:
    0
    Views:
    566
    Dreamskape
    Mar 5, 2009
Loading...

Share This Page