[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 581
  • Last Modified:

PIX 515E configuration? to block MSN and Yahoo messenger

Hi all,

I have a PIX 515E with PIX Version 6.3(3), a very simple 2 interface firewall, inside and outside, I was trying to block MSN(IM) access and YIM(Yahoo Instant Mesenger) and yahoo chat from the network, i tried couple of things but didn't work.

The problem that I'm facing with MSN is that works on SSL port if i block SSL port it blocks all the other important sites which uses SSL port.

With yahoo, I tried both ways, by blocking port 5050 access and also by blocking  YIM host servers but everytime I block a server it finds another server to connect, I dont know how many more servers they have there.

Please advise me the solution.

I'm attaching my firewall config below, though in some places I have (x)out the IP address for privacy. :-)


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ########### encrypted
passwd ########### encrypted
hostname fw
domain-name hyess.com
clock timezone GST 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name pc_adnan
name mail_srv
name web_srv
name yahoo
name yahoo3
name yahoo2
name yahoo1
name yahoo4
name yahoo_all
object-group network yahoo
  network-object yahoo3
  network-object yahoo1
  network-object yahoo
  network-object yahoo2
  network-object yahoo4
  network-object yahoo_all
access-list serv_pub permit icmp any any echo-reply
access-list serv_pub permit icmp any any time-exceeded
access-list serv_pub permit icmp any any unreachable
access-list serv_pub permit tcp any host x.x.x.39 eq www
access-list serv_pub permit tcp any host x.x.x.38 eq smtp
access-list serv_pub permit tcp any host x.x.x.39 eq ftp
access-list serv_pub permit tcp any host x.x.x.38 eq pop3
access-list serv_pub permit tcp any host x.x.x.38 eq www
access-list serv_pub deny tcp any eq 5050 any
access-list serv_pub deny tcp object-group yahoo any
access-list serv_pub deny tcp any any eq 5050
access-list inside_in permit ip any
access-list inside_in deny tcp object-group yahoo
pager lines 24
logging timestamp
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.37
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location pc_adnan inside
pdm location web_srv inside
pdm location mail_srv inside
pdm location outside
pdm location yahoo outside
pdm location yahoo3 outside
pdm location yahoo1 outside
pdm location yahoo2 outside
pdm location yahoo4 outside
pdm location yahoo_all outside
pdm location outside
pdm location inside
pdm group yahoo outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.40-x.x.x.45
global (outside) 1 x.x.x.46
nat (inside) 1 0 0
static (inside,outside) x.x.x.39 web_srv netmask 0 0
static (inside,outside) x.x.x.38 mail_srv netmask 0 0
static (inside,outside) x.x.x.36 netmask 0 0
access-group serv_pub in interface outside
access-group inside_in in interface inside
route outside x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http pc_adnan inside
snmp-server host inside pc_adnan
snmp-server location XXXXXX
snmp-server contact XXXXX
snmp-server community XXXXX
snmp-server enable traps
tftp-server inside pc_adnan/firewall_config
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
: end
  • 2
1 Solution
Real quick, I can tell you that your order of access-list entries is important.
Acls are processed top-down. In your case the permit "any" is met before the deny, so nothing will ever be denied.

>access-list inside_in permit ip any
>access-list inside_in deny tcp object-group yahoo

Try reversing them, and deny source port of 5050 from getting out:
no access-list inside_in
access-list inside_in deny tcp object-group yahoo
access-list inside_in deny tcp any eq 5050 any  
access-list inside_in permit ip any
/-- re-apply the acl after changes:
   access-group inside_in in interface inside

As a side note, if you don't have written enforceable acceptible use policies that you can roll up and whack your users on the head when they violate the policy of no YIM/MSN use on the company network, then you will always be fighting this battle... until the first person gets fired for violating the policy. You can't solve a management/user issue with technology, you can only partially enforce and partially monitor compliance to policies. Period.

How's it going? Have you found a solution? Do you need more information?
Can you close this question?


Thanks for attending to this long-forgotten question.


Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now