I need Cisco Pix 506E code for the following items

Discussion in 'Cisco' started by Marskarthik, Jul 6, 2007.

  1. Marskarthik

    Marskarthik Guest

    I need Cisco Pix 506E code for the following items

    1.Code for blocking a ip address so that no internal users can connect
    to that IP address.

    2.Code for blocking series of ip address so that no internal users can
    connect to that IP address group. For example i want to block
    202.54.23.12 to 202.54.23.75

    3. Code for blocking a specific port on a specific ip address so that
    no internal users can connect to that IP address on the specified
    port.

    Thanks,
    Marskarthik
    Home: www.marskarthik.com
     
    Marskarthik, Jul 6, 2007
    #1
    1. Advertisements

  2. Marskarthik

    Scott Perry Guest

    Any Cisco PIX image (version of code) will do that. The technology/concept
    is called "access-lists" which permit or deny network traffic based on, in
    this example, source and destination IP addresses or destination TCP/UDP
    port.
    Cisco PIX image files are subject to the usual software licensing and are
    currently not free.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    "Marskarthik" <> wrote in message
    news:...
    >I need Cisco Pix 506E code for the following items
    >
    > 1.Code for blocking a ip address so that no internal users can connect
    > to that IP address.
    >
    > 2.Code for blocking series of ip address so that no internal users can
    > connect to that IP address group. For example i want to block
    > 202.54.23.12 to 202.54.23.75
    >
    > 3. Code for blocking a specific port on a specific ip address so that
    > no internal users can connect to that IP address on the specified
    > port.
    >
    > Thanks,
    > Marskarthik
    > Home: www.marskarthik.com
    >
     
    Scott Perry, Jul 6, 2007
    #2
    1. Advertisements

  3. In article <>,
    Marskarthik <> wrote:
    >I need Cisco Pix 506E code for the following items


    >1.Code for blocking a ip address so that no internal users can connect
    >to that IP address.


    access-list in2out deny ip any host XX.XX.XX.XX
    access-list in2out permit ip any any
    access-group in2out in interface inside

    >2.Code for blocking series of ip address so that no internal users can
    >connect to that IP address group. For example i want to block
    >202.54.23.12 to 202.54.23.75


    A)
    access-list in2out deny ip any 202.54.23.12 255.255.255.252
    access-list in2out deny ip any 202.54.23.16 255.255.255.240
    access-list in2out deny ip any 202.54.23.32 255.255.255.224
    access-list in2out deny ip any 202.54.23.64 255.255.255.248
    access-list in2out deny ip any 202.54.23.72 255.255.255.252
    access-list in2out permit ip any any
    access-group in2out in interface inside

    OR
    B)

    object-group network BannedRange1
    network-object 202.54.23.12 255.255.255.252
    network-object 202.54.23.16 255.255.255.240
    network-object 202.54.23.32 255.255.255.224
    network-object 202.54.23.64 255.255.255.248
    network-object 202.54.23.72 255.255.255.252
    access-list in2out deny ip any object-group BannedRange1
    access-list in2out permit ip any any
    access-group in2out in interface inside

    OR
    C)
    access-list in2out deny ip any host 202.54.23.12
    access-list in2out deny ip any host 202.54.23.13
    access-list in2out deny ip any host 202.54.23.14
    [...]
    access-list in2out deny ip any host 202.54.23.75
    access-list in2out permit ip any any
    access-group in2out in interface inside

    To forstall a question: NO, there is no way to just give a
    range of IP addresses such as 202.54.23.12-202.54.23.75
    You get 'host' (for one specific host) and you get
    base addresses and network masks; no IP range operator.


    >3. Code for blocking a specific port on a specific ip address so that
    >no internal users can connect to that IP address on the specified
    >port.


    access-list in2out deny tcp any host XX.XX.XX.XX eq 80
    access-list in2out permit ip any any
    access-group in2out in interface inside


    Notes:

    - you should only have one "permit ip any any" (at most)
    and it should always be the very last thing in your access-list.

    - you can only apply one access-list to any interface in PIX 6,
    so if you want to do several of these things together, put them
    all in the same access-list, then have the permit ip any any
    and then access-group that into control of the interface

    - nothing in any of the above will prevent your users from using one
    of the thousands of proxy servers to access those hosts if they
    really want to.

    - No, there is no simple way to block access to proxy servers.
    Security Best Practice is to only permit access to things that are
    definitely needed, instead of trying to selectively ban access to
    things that are forbidden.
     
    Walter Roberson, Jul 7, 2007
    #3
  4. Marskarthik

    Marskarthik Guest

    Thanks Walter. You have explained very clearly.

    Thanks,
    Marskarthik
    Home: www.marskarthik.com


    On Jul 7, 6:29 am, (Walter Roberson) wrote:
    > In article <>,
    >
    > Marskarthik <> wrote:
    > >I need Cisco Pix 506E code for the following items
    > >1.Code for blocking a ip address so that no internal users can connect
    > >to that IP address.

    >
    > access-list in2out deny ip any host XX.XX.XX.XX
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > >2.Code for blocking series of ip address so that no internal users can
    > >connect to that IP address group. For example i want to block
    > >202.54.23.12 to 202.54.23.75

    >
    > A)
    > access-list in2out deny ip any 202.54.23.12 255.255.255.252
    > access-list in2out deny ip any 202.54.23.16 255.255.255.240
    > access-list in2out deny ip any 202.54.23.32 255.255.255.224
    > access-list in2out deny ip any 202.54.23.64 255.255.255.248
    > access-list in2out deny ip any 202.54.23.72 255.255.255.252
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > OR
    > B)
    >
    > object-group network BannedRange1
    > network-object 202.54.23.12 255.255.255.252
    > network-object 202.54.23.16 255.255.255.240
    > network-object 202.54.23.32 255.255.255.224
    > network-object 202.54.23.64 255.255.255.248
    > network-object 202.54.23.72 255.255.255.252
    > access-list in2out deny ip any object-group BannedRange1
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > OR
    > C)
    > access-list in2out deny ip any host 202.54.23.12
    > access-list in2out deny ip any host 202.54.23.13
    > access-list in2out deny ip any host 202.54.23.14
    > [...]
    > access-list in2out deny ip any host 202.54.23.75
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > To forstall a question: NO, there is no way to just give a
    > range of IP addresses such as 202.54.23.12-202.54.23.75
    > You get 'host' (for one specific host) and you get
    > base addresses and network masks; no IP range operator.
    >
    > >3. Code for blocking a specific port on a specific ip address so that
    > >no internal users can connect to that IP address on the specified
    > >port.

    >
    > access-list in2out deny tcp any host XX.XX.XX.XX eq 80
    > access-list in2out permit ip any any
    > access-group in2out in interface inside
    >
    > Notes:
    >
    > - you should only have one "permit ip any any" (at most)
    > and it should always be the very last thing in your access-list.
    >
    > - you can only apply one access-list to any interface in PIX 6,
    > so if you want to do several of these things together, put them
    > all in the same access-list, then have the permit ip any any
    > and then access-group that into control of the interface
    >
    > - nothing in any of the above will prevent your users from using one
    > of the thousands of proxy servers to access those hosts if they
    > really want to.
    >
    > - No, there is no simple way to block access to proxy servers.
    > Security Best Practice is to only permit access to things that are
    > definitely needed, instead of trying to selectively ban access to
    > things that are forbidden.
     
    Marskarthik, Jul 9, 2007
    #4
  5. Marskarthik

    Scott Perry Guest

    >> >2.Code for blocking series of ip address so that no internal users can
    >> >connect to that IP address group. For example i want to block
    >> >202.54.23.12 to 202.54.23.75


    Several access-list entries which cover the ranges in between will work.
    Here is an example where an outbound traffic access list blocks data traffic
    going to what you mentioned, 202.54.23.12 to 202.54.23.75.

    access-list 101 deny ip any 202.54.23.12 0.0.0.3
    access-list 101 deny ip any 202.54.23.16 0.0.0.15
    access-list 101 deny ip any 202.54.23.32 0.0.0.31
    access-list 101 deny ip any 202.54.23.64 0.0.0.7
    access-list 101 deny ip any 202.54.23.72 0.0.0.3
    access-list 101 permit ip any any

    That access list will do the following (in matching order):
    block any network traffic going to 202.54.23.12 through 202.54.23.15
    block any network traffic going to 202.54.23.16 through 202.54.23.31
    block any network traffic going to 202.54.23.32 through 202.54.23.63
    block any network traffic going to 202.54.23.64 through 202.54.23.71
    block any network traffic going to 202.54.23.72 through 202.54.23.75
    permit any other network traffic
    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
     
    Scott Perry, Jul 9, 2007
    #5
  6. In article <469268e6$0$21259$>,
    Scott Perry <scottperry@aciscocompany> wrote:
    >>> >2.Code for blocking series of ip address so that no internal users can
    >>> >connect to that IP address group. For example i want to block
    >>> >202.54.23.12 to 202.54.23.75

    >
    >Several access-list entries which cover the ranges in between will work.
    >Here is an example where an outbound traffic access list blocks data traffic
    >going to what you mentioned, 202.54.23.12 to 202.54.23.75.


    >access-list 101 deny ip any 202.54.23.12 0.0.0.3
    >access-list 101 deny ip any 202.54.23.16 0.0.0.15
    >access-list 101 deny ip any 202.54.23.32 0.0.0.31
    >access-list 101 deny ip any 202.54.23.64 0.0.0.7
    >access-list 101 deny ip any 202.54.23.72 0.0.0.3
    >access-list 101 permit ip any any


    Unfortunately, that won't work. The PIX uses bit masks rather than
    wildcard bits. I gave the correct entries up-thread, in the
    message that was the parent of the one you were replying to.

    access-list in2out deny ip any 202.54.23.12 255.255.255.252
    access-list in2out deny ip any 202.54.23.16 255.255.255.240
    access-list in2out deny ip any 202.54.23.32 255.255.255.224
    access-list in2out deny ip any 202.54.23.64 255.255.255.248
    access-list in2out deny ip any 202.54.23.72 255.255.255.252
    access-list in2out permit ip any any


    Futher note: in IOS, the sort of access-list you showed would
    have to be numbered, from 101 to 199 (or 2000 to 2699 but I never
    remember that range!). In PIX, the access-lists are named, and the
    names have no inherently significance. Numbers are considered valid names
    for this purpose, so access-list 101 is still fine, and access-list 1
    would have been just as good too.

    PIX access-list syntax changed again with PIX 7.
     
    Walter Roberson, Jul 10, 2007
    #6
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. paul tomlinson

    VOIP using Cisco PIX 506e and Cisco 837

    paul tomlinson, Jan 21, 2004, in forum: Cisco
    Replies:
    1
    Views:
    1,558
    Walter Roberson
    Jan 21, 2004
  2. Kai
    Replies:
    0
    Views:
    8,227
  3. Guest
    Replies:
    6
    Views:
    783
    The Poster Formerly Known as Kline Sphere
    Jul 21, 2004
  4. Guest
    Replies:
    10
    Views:
    1,705
    The Poster Formerly Known as Kline Sphere
    Jul 21, 2004
  5. Ben Lord

    Items in Outbox not moving to Sent Items

    Ben Lord, Oct 23, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    2,007
    Ben Lord
    Oct 23, 2003
  6. andypatterson24
    Replies:
    2
    Views:
    3,513
    andypatterson24
    Apr 25, 2008
  7. vensmv85
    Replies:
    0
    Views:
    2,180
    vensmv85
    Nov 14, 2009
  8. Network/Software Buyer
    Replies:
    0
    Views:
    1,054
    Network/Software Buyer
    Dec 24, 2010
Loading...