Solved

Pix 515: How do I block a range of IP address using the conduit command?

Posted on 2004-08-18
6
1,645 Views
Last Modified: 2008-02-01
Pix 515: How do I block a range of IP address using the conduit command?
Am getting much UBE from three IP ranges 222.156.whatever. whatever, 219.91.whatever.whatever and 61.31.whatever.whatever. I can' use the shun command because the specific IP address keeps changing. I am trying to use the conduit command to block the ranges but am having no luck. I am an idiot when it comes to this Pix and am now thoroughly frustrated. I shut my mail server down because I refuse to be forward this stuff. The server is a small web/email server which (normally) does not get much traffic.
This is what I currently have for conduit commands, 12.2.170.36 is my ip.:

conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any  
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any  

Thanks a lot...

Mike                        
0
Comment
Question by:MikeB_30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11834688
Hi MikeB_30,
What version of software do you have on the PIX?

If the software is new enough I would remocmend switching to the new syntax which uses 'static' commands and access lists instead of the conduit command. Using access lists it is easy to block an address range.
0
 

Author Comment

by:MikeB_30
ID: 11834705
It's version 6.0(1)
0
 
LVL 36

Expert Comment

by:grblades
ID: 11834853
Version 6.0 does support access-lists (it was supported from version 5.0).

If you could post the internal IP address of the server(s) and what IP addresses they map to on the outside and also what ports should be permitted though and what IP's you want to block I will create the commands for you to enter.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:MikeB_30
ID: 11835048
That would be great.
Here's the whole deal:
The server's internal address is 172.16.1.2 netmask 255.255.0.0
Outside is 12.2.170.36 255.255.255.224

The addresses I'm trying to block is 222.anything, 219.anything and 61.anything
I have attached the alias and static commands as well as the conduit commands.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 172.16.1.2 12.2.170.36 255.255.255.255
alias (inside) 172.16.1.151 12.2.170.41 255.255.255.255
alias (inside) 172.16.1.45 12.2.170.50 255.255.255.255
alias (inside) 172.16.1.185 12.2.170.60 255.255.255.255
static (inside,outside) 12.2.170.36 172.16.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.41 172.16.1.151 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.50 172.16.1.45 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.60 172.16.1.185 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any
conduit permit tcp host 12.2.170.41 eq ftp any
conduit permit tcp host 12.2.170.50 eq smtp any
conduit permit tcp host 12.2.170.50 eq pop3 any
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any
conduit permit tcp host 12.2.170.60 any

Thanks a ton.                              
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11835160
The 'static' command is the new version of the 'alias' command and you seem to have these duplicated.

You should be able to remove all the alias and conduit commands and add the following configuration :-

access-list outside_in deny ip 222.0.0.0 255.0.0.0 any
access-list outside_in deny ip 219.0.0.0 255.0.0.0 any
access-list outside_in deny ip 61.0.0.0 255.0.0.0 any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 12.2.170.36 eq www
access-list outside_in permit tcp any host 12.2.170.36 eq ftp
access-list outside_in permit tcp any host 12.2.170.36 eq pop3
access-list outside_in permit tcp any host 12.2.170.36 eq smtp
access-list outside_in permit tcp any host 12.2.170.41 eq ftp
access-list outside_in permit tcp any host 12.2.170.50 eq smtp
access-list outside_in permit tcp any host 12.2.170.50 eq pop3
access-list outside_in permit tcp any host 12.2.170.60
access-list outside_in deny ip any any
access-group outside_in in interface outside

Just make sure you have a copy of your existing configuration that you can restore incase anything goes wrong.
0
 

Author Comment

by:MikeB_30
ID: 11835946
Worked great!!!
Thank you very much, if you ever find yourself in IA...I'm buying.

Best Regards,
Mike
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question