Solved

Pix 515: How do I block a range of IP address using the conduit command?

Posted on 2004-08-18
6
1,623 Views
Last Modified: 2008-02-01
Pix 515: How do I block a range of IP address using the conduit command?
Am getting much UBE from three IP ranges 222.156.whatever. whatever, 219.91.whatever.whatever and 61.31.whatever.whatever. I can' use the shun command because the specific IP address keeps changing. I am trying to use the conduit command to block the ranges but am having no luck. I am an idiot when it comes to this Pix and am now thoroughly frustrated. I shut my mail server down because I refuse to be forward this stuff. The server is a small web/email server which (normally) does not get much traffic.
This is what I currently have for conduit commands, 12.2.170.36 is my ip.:

conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any  
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any  

Thanks a lot...

Mike                        
0
Comment
Question by:MikeB_30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11834688
Hi MikeB_30,
What version of software do you have on the PIX?

If the software is new enough I would remocmend switching to the new syntax which uses 'static' commands and access lists instead of the conduit command. Using access lists it is easy to block an address range.
0
 

Author Comment

by:MikeB_30
ID: 11834705
It's version 6.0(1)
0
 
LVL 36

Expert Comment

by:grblades
ID: 11834853
Version 6.0 does support access-lists (it was supported from version 5.0).

If you could post the internal IP address of the server(s) and what IP addresses they map to on the outside and also what ports should be permitted though and what IP's you want to block I will create the commands for you to enter.
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Comment

by:MikeB_30
ID: 11835048
That would be great.
Here's the whole deal:
The server's internal address is 172.16.1.2 netmask 255.255.0.0
Outside is 12.2.170.36 255.255.255.224

The addresses I'm trying to block is 222.anything, 219.anything and 61.anything
I have attached the alias and static commands as well as the conduit commands.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 172.16.1.2 12.2.170.36 255.255.255.255
alias (inside) 172.16.1.151 12.2.170.41 255.255.255.255
alias (inside) 172.16.1.45 12.2.170.50 255.255.255.255
alias (inside) 172.16.1.185 12.2.170.60 255.255.255.255
static (inside,outside) 12.2.170.36 172.16.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.41 172.16.1.151 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.50 172.16.1.45 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.60 172.16.1.185 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any
conduit permit tcp host 12.2.170.41 eq ftp any
conduit permit tcp host 12.2.170.50 eq smtp any
conduit permit tcp host 12.2.170.50 eq pop3 any
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any
conduit permit tcp host 12.2.170.60 any

Thanks a ton.                              
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11835160
The 'static' command is the new version of the 'alias' command and you seem to have these duplicated.

You should be able to remove all the alias and conduit commands and add the following configuration :-

access-list outside_in deny ip 222.0.0.0 255.0.0.0 any
access-list outside_in deny ip 219.0.0.0 255.0.0.0 any
access-list outside_in deny ip 61.0.0.0 255.0.0.0 any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 12.2.170.36 eq www
access-list outside_in permit tcp any host 12.2.170.36 eq ftp
access-list outside_in permit tcp any host 12.2.170.36 eq pop3
access-list outside_in permit tcp any host 12.2.170.36 eq smtp
access-list outside_in permit tcp any host 12.2.170.41 eq ftp
access-list outside_in permit tcp any host 12.2.170.50 eq smtp
access-list outside_in permit tcp any host 12.2.170.50 eq pop3
access-list outside_in permit tcp any host 12.2.170.60
access-list outside_in deny ip any any
access-group outside_in in interface outside

Just make sure you have a copy of your existing configuration that you can restore incase anything goes wrong.
0
 

Author Comment

by:MikeB_30
ID: 11835946
Worked great!!!
Thank you very much, if you ever find yourself in IA...I'm buying.

Best Regards,
Mike
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Assymetric routing asa 4 53
Best firewall recommendation 12 217
Not able to ping DMZ port on Firewall from the switch. 11 65
Forwarding web requests to different web servers 15 222
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question