trying to block a range of IP's from using the web

Discussion in 'Cisco' started by Barrett Bonden, Jan 26, 2006.

  1. need syntax to block a range of IP address using the web in any way ( they
    just need to reach an internal server) , so I want to stop them from
    getting out or anything from the web reaching them. These machines are in
    the range of 192.168.0.10 to 0.254



    I have(but it's been months since I did PIX/cicso , and boy am I rusty) an
    access list now with commands like



    access-list outside_access_in permit icmp any any echo

    access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
    10

    access-list outside_access_in permit icmp any any echo-reply

    access-group outside_access_in in interface outside



    Can I just add to it to block anything coming in to a subnet ? I suppose I
    can do this:

    access-list outside_access_in deny ip deny any 1982.168.0.0 0.0.0.255 (can
    I ?)

    But of course that would block the owner , on 0.4 - so is there syntax for
    a range of IP's ? ?



    Or should I create a new access group for anything leaving the inside
    interface ?

    Something like

    access-group inside_access_out in interface inside

    access-list inside_access_out deny any 192.168.0.2 255.255.255.0

    (the inside interface : ip address inside 192.168.0.2 255.255.255.0)



    But again, this would stop any machine on the inside from getting to the
    inside interface on the PIX ( at least I think that's what I'm saying.)

    Any help offered on syntax or concepts much appreciated .
     
    Barrett Bonden, Jan 26, 2006
    #1
    1. Advertisements

  2. Must have dropped a few characters there, since the upper end of a port
    range must be greater than the lower end.
    Remember the PIX uses netmask format, so that would have to be
    192.168.0.0 255.255.255.0

    There is no syntax for a range of IPs. You can create an object-group
    that nominates them all, as in

    object-group network InternalOnly
    network-object 192.168.0.10 255.255.255.254
    network-object 192.168.0.12 255.255.255.252
    network-object 192.168.0.16 255.255.255.240
    network-object 192.168.0.32 255.255.255.224
    network-object 192.168.0.64 255.255.255.192
    network-object 192.168.0.128 255.255.255.192
    network-object 192.168.0.192 255.255.255.224
    network-object 192.168.0.224 255.255.255.240
    network-object 192.168.0.240 255.255.255.248
    network-object 192.168.0.248 255.255.255.252
    network-object 192.168.0.252 255.255.255.254
    network-object host 192.168.0.254

    access-list outside_access_in deny ip any object-group InternalOnly

    It mystifies me, though, as to why you want to permit your broadcast
    IP, 192.168.0.255 to send packets to the outside. The object-group would
    be only half as long if you were to block all of
    192.168.0.128 255.255.255.128
    If you want to prevent outgoing traffic then you need to work with
    the inside interface ACL: the PIX will automatically permit back
    in responses to traffic initiated from inside that was permitted out.

    Another item to note is that when you are working with the outside
    interface ACL, that all destination IPs must be the *public*
    IPs for the hosts -- the destinations as they would appear in the
    packets that the external hosts are sending to. Unless you are
    working with a completely private network, those public IPs are
    not going to be 192.168.0.x .


    There is a completely different way to solve this problem that you
    might find easier to configure:

    Packets are only allowed out for internal hosts for which there is
    a defined IP address translation -- a static or nat. Therefor, if you
    want to deny hosts from going outside, you can do it by not defining
    any address translation for them. Instead of having,

    nat (inside) 1 0.0.0.0 0.0.0.0

    instead have

    nat (inside) 1 192.168.0.0 255.255.255.248
    nat (inside) 1 192.168.0.8 255.255.255.254

    Then you don't need any ACL: the PIX just won't allow the traffic
    because it won't know what public IP address to use for it.

    The main difference between this and the inside interface ACL case
    is in the log messages that will be produced for the two cases.
     
    Walter Roberson, Jan 27, 2006
    #2
    1. Advertisements

  3. Walter:

    Many thanks, as always. The idea of specific NAT's , as in
    appeals to me. I've started to re-read my old Pix books, but still don't see
    why you have those "subnet like" masks (as in .254) for use with a specific
    inside IP. Walter, if I wanted to specify just a few inside IP's(the
    owner's, say, and one other) to get out, would I not do it like
    nat (inside) 1 192.168.0.8 255.255.255.255 ? for just one machine ?
    My books tell me this will be seen as one host .
     
    Barrett Bonden, Jan 28, 2006
    #3
  4. You wanted .10 to .254 to be blocked, which means you want to permit
    ..8 and .9 . You could do that via
    192.168.0.8 255.255.255.255
    192.168.0.9 255.255.255.255
    or you can do it via
    192.168.0.8 255.255.255.254
    because .8 falls on /31 boundary.
    Yes.
     
    Walter Roberson, Jan 29, 2006
    #4
  5. If you ever come to Long Island, New York , let me buy you a beer.
    This was (is ) the only Cisco client I have; I never picked up more work
    from the PIX install, and so all the reading I did just drifted out of my
    head ...I read quite a bit on subnet math , but without use .......

    Many thanks -
     
    Barrett Bonden, Jan 29, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.