Pix 515: How do I block a range of IP address using the conduit command?

Pix 515: How do I block a range of IP address using the conduit command?
Am getting much UBE from three IP ranges 222.156.whatever. whatever, 219.91.whatever.whatever and 61.31.whatever.whatever. I can' use the shun command because the specific IP address keeps changing. I am trying to use the conduit command to block the ranges but am having no luck. I am an idiot when it comes to this Pix and am now thoroughly frustrated. I shut my mail server down because I refuse to be forward this stuff. The server is a small web/email server which (normally) does not get much traffic.
This is what I currently have for conduit commands, 12.2.170.36 is my ip.:

conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any  
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any  

Thanks a lot...

Mike                        
MikeB_30Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
grbladesConnect With a Mentor Commented:
The 'static' command is the new version of the 'alias' command and you seem to have these duplicated.

You should be able to remove all the alias and conduit commands and add the following configuration :-

access-list outside_in deny ip 222.0.0.0 255.0.0.0 any
access-list outside_in deny ip 219.0.0.0 255.0.0.0 any
access-list outside_in deny ip 61.0.0.0 255.0.0.0 any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 12.2.170.36 eq www
access-list outside_in permit tcp any host 12.2.170.36 eq ftp
access-list outside_in permit tcp any host 12.2.170.36 eq pop3
access-list outside_in permit tcp any host 12.2.170.36 eq smtp
access-list outside_in permit tcp any host 12.2.170.41 eq ftp
access-list outside_in permit tcp any host 12.2.170.50 eq smtp
access-list outside_in permit tcp any host 12.2.170.50 eq pop3
access-list outside_in permit tcp any host 12.2.170.60
access-list outside_in deny ip any any
access-group outside_in in interface outside

Just make sure you have a copy of your existing configuration that you can restore incase anything goes wrong.
0
 
grbladesCommented:
Hi MikeB_30,
What version of software do you have on the PIX?

If the software is new enough I would remocmend switching to the new syntax which uses 'static' commands and access lists instead of the conduit command. Using access lists it is easy to block an address range.
0
 
MikeB_30Author Commented:
It's version 6.0(1)
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
grbladesCommented:
Version 6.0 does support access-lists (it was supported from version 5.0).

If you could post the internal IP address of the server(s) and what IP addresses they map to on the outside and also what ports should be permitted though and what IP's you want to block I will create the commands for you to enter.
0
 
MikeB_30Author Commented:
That would be great.
Here's the whole deal:
The server's internal address is 172.16.1.2 netmask 255.255.0.0
Outside is 12.2.170.36 255.255.255.224

The addresses I'm trying to block is 222.anything, 219.anything and 61.anything
I have attached the alias and static commands as well as the conduit commands.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 172.16.1.2 12.2.170.36 255.255.255.255
alias (inside) 172.16.1.151 12.2.170.41 255.255.255.255
alias (inside) 172.16.1.45 12.2.170.50 255.255.255.255
alias (inside) 172.16.1.185 12.2.170.60 255.255.255.255
static (inside,outside) 12.2.170.36 172.16.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.41 172.16.1.151 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.50 172.16.1.45 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.60 172.16.1.185 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any
conduit permit tcp host 12.2.170.41 eq ftp any
conduit permit tcp host 12.2.170.50 eq smtp any
conduit permit tcp host 12.2.170.50 eq pop3 any
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any
conduit permit tcp host 12.2.170.60 any

Thanks a ton.                              
0
 
MikeB_30Author Commented:
Worked great!!!
Thank you very much, if you ever find yourself in IA...I'm buying.

Best Regards,
Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.