Solved

PIX 515E configuration? to block MSN and Yahoo messenger

Posted on 2004-11-07
578 Views
Last Modified: 2012-06-27
Hi all,

I have a PIX 515E with PIX Version 6.3(3), a very simple 2 interface firewall, inside and outside, I was trying to block MSN(IM) access and YIM(Yahoo Instant Mesenger) and yahoo chat from the network, i tried couple of things but didn't work.

The problem that I'm facing with MSN is that works on SSL port if i block SSL port it blocks all the other important sites which uses SSL port.

With yahoo, I tried both ways, by blocking port 5050 access and also by blocking  YIM host servers but everytime I block a server it finds another server to connect, I dont know how many more servers they have there.

Please advise me the solution.

I'm attaching my firewall config below, though in some places I have (x)out the IP address for privacy. :-)

==================

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ########### encrypted
passwd ########### encrypted
hostname fw
domain-name hyess.com
clock timezone GST 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.10 pc_adnan
name 192.168.1.30 mail_srv
name 192.168.1.15 web_srv
name 216.155.193.177 yahoo
name 216.136.227.21 yahoo3
name 216.155.193.178 yahoo2
name 216.155.193.139 yahoo1
name 216.155.193.153 yahoo4
name 216.155.193.0 yahoo_all
object-group network yahoo
  network-object yahoo3 255.255.255.255
  network-object yahoo1 255.255.255.255
  network-object yahoo 255.255.255.255
  network-object yahoo2 255.255.255.255
  network-object yahoo4 255.255.255.255
  network-object yahoo_all 255.255.255.0
  network-object 216.155.193.186 255.255.255.255
access-list serv_pub permit icmp any any echo-reply
access-list serv_pub permit icmp any any time-exceeded
access-list serv_pub permit icmp any any unreachable
access-list serv_pub permit tcp any host x.x.x.39 eq www
access-list serv_pub permit tcp any host x.x.x.38 eq smtp
access-list serv_pub permit tcp any host x.x.x.39 eq ftp
access-list serv_pub permit tcp any host x.x.x.38 eq pop3
access-list serv_pub permit tcp any host x.x.x.38 eq www
access-list serv_pub deny tcp any eq 5050 any
access-list serv_pub deny tcp object-group yahoo any
access-list serv_pub deny tcp any any eq 5050
access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_in deny tcp 192.168.1.0 255.255.255.0 object-group yahoo
pager lines 24
logging timestamp
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.37 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location pc_adnan 255.255.255.255 inside
pdm location web_srv 255.255.255.255 inside
pdm location mail_srv 255.255.255.255 inside
pdm location 195.229.172.15 255.255.255.255 outside
pdm location yahoo 255.255.255.255 outside
pdm location yahoo3 255.255.255.255 outside
pdm location yahoo1 255.255.255.255 outside
pdm location yahoo2 255.255.255.255 outside
pdm location yahoo4 255.255.255.255 outside
pdm location yahoo_all 255.255.255.0 outside
pdm location 216.155.193.186 255.255.255.255 outside
pdm location 192.168.1.4 255.255.255.255 inside
pdm group yahoo outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.40-x.x.x.45
global (outside) 1 x.x.x.46
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.39 web_srv netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.38 mail_srv netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.36 192.168.1.4 netmask 255.255.255.255 0 0
access-group serv_pub in interface outside
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http pc_adnan 255.255.255.255 inside
snmp-server host inside pc_adnan
snmp-server location XXXXXX
snmp-server contact XXXXX
snmp-server community XXXXX
snmp-server enable traps
tftp-server inside pc_adnan/firewall_config
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
: end
[OK]
0
Question by:adnanj76
    2 Comments
     
    LVL 79

    Accepted Solution

    by:
    Real quick, I can tell you that your order of access-list entries is important.
    Acls are processed top-down. In your case the permit "any" is met before the deny, so nothing will ever be denied.

    >access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
    >access-list inside_in deny tcp 192.168.1.0 255.255.255.0 object-group yahoo

    Try reversing them, and deny source port of 5050 from getting out:
    no access-list inside_in
    access-list inside_in deny tcp 192.168.1.0 255.255.255.0 object-group yahoo
    access-list inside_in deny tcp any eq 5050 any  
    access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
    /-- re-apply the acl after changes:
       access-group inside_in in interface inside


    As a side note, if you don't have written enforceable acceptible use policies that you can roll up and whack your users on the head when they violate the policy of no YIM/MSN use on the company network, then you will always be fighting this battle... until the first person gets fired for violating the policy. You can't solve a management/user issue with technology, you can only partially enforce and partially monitor compliance to policies. Period.

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    How's it going? Have you found a solution? Do you need more information?
    Can you close this question?

    http://www.experts-exchange.com/help.jsp#hs5

    Thanks for attending to this long-forgotten question.

    <-8}
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Product Review - Android Remix

    Come along for the ride with our Senior Product Manager, Brian Matis, as he reviews the Android Remix.

    Suggested Solutions

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in theā€¦
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video discusses moving either the default database or any database to a new volume.

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now