• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

Block MSN for all users, but allow 3 users, how to implement on CISCO PIX 506E

In my Office, we are using CISCO PIX 506E,
all office users are in the LAN of 192.168.8.0 /24
network.

I want to block all users from using MSN from internet,
but allow my 3 managers to use MSN.
3 of them, their  IP addresses are :-
  192.168.8.26 /24
  192.168.8.42 /24
  192.168.8.57 /24

How am I going to implement this on my PIX506E?
Can anyone write me the syntax.

Thanks for the help.
0
kaifong78
Asked:
kaifong78
  • 2
1 Solution
 
lrmooreCommented:
You can try something like this to block the source port (typically 1863), but your mileage may vary...

access-list block_MSN permit ip host 192.168.8.26 any
access-list block_MSN permit ip host 192.168.8.42 any
access-list block_MSN permit ip host 192.168.8.57 any
access-list block_MSN deny tcp any eq 1863 any
access-list block_MSN permit ip any any

access-group block_MSN in interface inside

0
 
reason100Commented:
Probably the most secure way to do this is to only allow traffic for specific services into the firewall from the internal network. So, depending on your company policy, you would only allow users to access services you have deemed as acceptable. Port 80, for www, port 443, for ssl encrypted sites, port 25 for smtp , port 110 for pop3, etc.

So you would create an access list like that below that has the specific allowances for the network hosts.

access-list inside_access_in permit tcp any any eq pop3
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in permit tcp host 192.168.8.26 any eq 1863
access-list inside_access_in permit tcp host 192.168.8.42 any eq 1863
access-list inside_access_in permit tcp host 192.168.8.57 any eq 1863
acces-list inside_access_in deny tcp any any

Don't just copy the above access list into your firewall config. You'll have to make sure that it has the correct access-list name and that all of the services you need are listed. So, you'll need to do a little research and come up with a plan to implement an access list.

Hope this helps,
Rod
0
 
lrmooreCommented:
bytta's comment should not be accepted. It did not address the question at all on how to create a custom solution specifically to this situation. I'm sure the EE search function works just fine for the asker, too.
>Can anyone write me the syntax.

bytta did not provide the syntax.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now