Solved

Pix 515: How do I block a range of IP address using the conduit command?

Posted on 2004-08-18
6
1,603 Views
Last Modified: 2008-02-01
Pix 515: How do I block a range of IP address using the conduit command?
Am getting much UBE from three IP ranges 222.156.whatever. whatever, 219.91.whatever.whatever and 61.31.whatever.whatever. I can' use the shun command because the specific IP address keeps changing. I am trying to use the conduit command to block the ranges but am having no luck. I am an idiot when it comes to this Pix and am now thoroughly frustrated. I shut my mail server down because I refuse to be forward this stuff. The server is a small web/email server which (normally) does not get much traffic.
This is what I currently have for conduit commands, 12.2.170.36 is my ip.:

conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any  
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any  

Thanks a lot...

Mike                        
0
Comment
Question by:MikeB_30
  • 3
  • 3
6 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11834688
Hi MikeB_30,
What version of software do you have on the PIX?

If the software is new enough I would remocmend switching to the new syntax which uses 'static' commands and access lists instead of the conduit command. Using access lists it is easy to block an address range.
0
 

Author Comment

by:MikeB_30
ID: 11834705
It's version 6.0(1)
0
 
LVL 36

Expert Comment

by:grblades
ID: 11834853
Version 6.0 does support access-lists (it was supported from version 5.0).

If you could post the internal IP address of the server(s) and what IP addresses they map to on the outside and also what ports should be permitted though and what IP's you want to block I will create the commands for you to enter.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:MikeB_30
ID: 11835048
That would be great.
Here's the whole deal:
The server's internal address is 172.16.1.2 netmask 255.255.0.0
Outside is 12.2.170.36 255.255.255.224

The addresses I'm trying to block is 222.anything, 219.anything and 61.anything
I have attached the alias and static commands as well as the conduit commands.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 172.16.1.2 12.2.170.36 255.255.255.255
alias (inside) 172.16.1.151 12.2.170.41 255.255.255.255
alias (inside) 172.16.1.45 12.2.170.50 255.255.255.255
alias (inside) 172.16.1.185 12.2.170.60 255.255.255.255
static (inside,outside) 12.2.170.36 172.16.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.41 172.16.1.151 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.50 172.16.1.45 netmask 255.255.255.255 0 0
static (inside,outside) 12.2.170.60 172.16.1.185 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 12.2.170.36 eq www any
conduit permit tcp host 12.2.170.36 eq ftp any
conduit permit tcp host 12.2.170.36 eq pop3 any
conduit permit tcp host 12.2.170.41 eq ftp any
conduit permit tcp host 12.2.170.50 eq smtp any
conduit permit tcp host 12.2.170.50 eq pop3 any
conduit deny ip host 12.2.170.36 222.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 219.0.0.0 255.255.255.0
conduit deny ip host 12.2.170.36 61.0.0.0 255.255.255.0
conduit permit tcp host 12.2.170.36 eq smtp any
conduit permit tcp host 12.2.170.60 any

Thanks a ton.                              
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11835160
The 'static' command is the new version of the 'alias' command and you seem to have these duplicated.

You should be able to remove all the alias and conduit commands and add the following configuration :-

access-list outside_in deny ip 222.0.0.0 255.0.0.0 any
access-list outside_in deny ip 219.0.0.0 255.0.0.0 any
access-list outside_in deny ip 61.0.0.0 255.0.0.0 any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 12.2.170.36 eq www
access-list outside_in permit tcp any host 12.2.170.36 eq ftp
access-list outside_in permit tcp any host 12.2.170.36 eq pop3
access-list outside_in permit tcp any host 12.2.170.36 eq smtp
access-list outside_in permit tcp any host 12.2.170.41 eq ftp
access-list outside_in permit tcp any host 12.2.170.50 eq smtp
access-list outside_in permit tcp any host 12.2.170.50 eq pop3
access-list outside_in permit tcp any host 12.2.170.60
access-list outside_in deny ip any any
access-group outside_in in interface outside

Just make sure you have a copy of your existing configuration that you can restore incase anything goes wrong.
0
 

Author Comment

by:MikeB_30
ID: 11835946
Worked great!!!
Thank you very much, if you ever find yourself in IA...I'm buying.

Best Regards,
Mike
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Firewall question 5 95
Network Activities  please help 16 79
centos7 firewalld udp ports 33 78
Sonicwall Security Service questions 2 54
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question