Solved

Pix 515: How do I block a range of IP address using the conduit command?

Posted on 2004-08-18
6
1,554 Views
Last Modified: 2008-02-01
Pix 515: How do I block a range of IP address using the conduit command?
Am getting much UBE from three IP ranges 222.156.whatever. whatever, 219.91.whatever.whatever and 61.31.whatever.whatever. I can' use the shun command because the specific IP address keeps changing. I am trying to use the conduit command to block the ranges but am having no luck. I am an idiot when it comes to this Pix and am now thoroughly frustrated. I shut my mail server down because I refuse to be forward this stuff. The server is a small web/email server which (normally) does not get much traffic.
This is what I currently have for conduit commands, 12.2.170.36 is my ip.:

conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any  
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any  

Thanks a lot...

Mike                        
0
Comment
Question by:MikeB_30
  • 3
  • 3
6 Comments
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Hi MikeB_30,
What version of software do you have on the PIX?

If the software is new enough I would remocmend switching to the new syntax which uses 'static' commands and access lists instead of the conduit command. Using access lists it is easy to block an address range.
0
 

Author Comment

by:MikeB_30
Comment Utility
It's version 6.0(1)
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Version 6.0 does support access-lists (it was supported from version 5.0).

If you could post the internal IP address of the server(s) and what IP addresses they map to on the outside and also what ports should be permitted though and what IP's you want to block I will create the commands for you to enter.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:MikeB_30
Comment Utility
That would be great.
Here's the whole deal:
The server's internal address is 172.16.1.2 netmask 255.255.0.0
Outside is 12.2.170.36 255.255.255.224

The addresses I'm trying to block is 222.anything, 219.anything and 61.anything
I have attached the alias and static commands as well as the conduit commands.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 172.16.1.2 12.2.170.36 255.255.255.255
alias (inside) 172.16.1.151 12.2.170.41 255.255.255.255
alias (inside) 172.16.1.45 12.2.170.50 255.255.255.255
alias (inside) 172.16.1.185 12.2.170.60 255.255.255.255
static (inside,outside) 12.2.170.36 172.16.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.41 172.16.1.151 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.50 172.16.1.45 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.60 172.16.1.185 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any
conduit permit tcp host 12.2.170.41 eq ftp any
conduit permit tcp host 12.2.170.50 eq smtp any
conduit permit tcp host 12.2.170.50 eq pop3 any
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any
conduit permit tcp host 12.2.170.60 any

Thanks a ton.                              
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
Comment Utility
The 'static' command is the new version of the 'alias' command and you seem to have these duplicated.

You should be able to remove all the alias and conduit commands and add the following configuration :-

access-list outside_in deny ip 222.0.0.0 255.0.0.0 any
access-list outside_in deny ip 219.0.0.0 255.0.0.0 any
access-list outside_in deny ip 61.0.0.0 255.0.0.0 any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 12.2.170.36 eq www
access-list outside_in permit tcp any host 12.2.170.36 eq ftp
access-list outside_in permit tcp any host 12.2.170.36 eq pop3
access-list outside_in permit tcp any host 12.2.170.36 eq smtp
access-list outside_in permit tcp any host 12.2.170.41 eq ftp
access-list outside_in permit tcp any host 12.2.170.50 eq smtp
access-list outside_in permit tcp any host 12.2.170.50 eq pop3
access-list outside_in permit tcp any host 12.2.170.60
access-list outside_in deny ip any any
access-group outside_in in interface outside

Just make sure you have a copy of your existing configuration that you can restore incase anything goes wrong.
0
 

Author Comment

by:MikeB_30
Comment Utility
Worked great!!!
Thank you very much, if you ever find yourself in IA...I'm buying.

Best Regards,
Mike
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now