PIX 515E configuration? to block MSN and Yahoo messenger

Posted on 2004-11-07
Last Modified: 2012-06-27
Hi all,

I have a PIX 515E with PIX Version 6.3(3), a very simple 2 interface firewall, inside and outside, I was trying to block MSN(IM) access and YIM(Yahoo Instant Mesenger) and yahoo chat from the network, i tried couple of things but didn't work.

The problem that I'm facing with MSN is that works on SSL port if i block SSL port it blocks all the other important sites which uses SSL port.

With yahoo, I tried both ways, by blocking port 5050 access and also by blocking  YIM host servers but everytime I block a server it finds another server to connect, I dont know how many more servers they have there.

Please advise me the solution.

I'm attaching my firewall config below, though in some places I have (x)out the IP address for privacy. :-)


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ########### encrypted
passwd ########### encrypted
hostname fw
clock timezone GST 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name pc_adnan
name mail_srv
name web_srv
name yahoo
name yahoo3
name yahoo2
name yahoo1
name yahoo4
name yahoo_all
object-group network yahoo
  network-object yahoo3
  network-object yahoo1
  network-object yahoo
  network-object yahoo2
  network-object yahoo4
  network-object yahoo_all
access-list serv_pub permit icmp any any echo-reply
access-list serv_pub permit icmp any any time-exceeded
access-list serv_pub permit icmp any any unreachable
access-list serv_pub permit tcp any host x.x.x.39 eq www
access-list serv_pub permit tcp any host x.x.x.38 eq smtp
access-list serv_pub permit tcp any host x.x.x.39 eq ftp
access-list serv_pub permit tcp any host x.x.x.38 eq pop3
access-list serv_pub permit tcp any host x.x.x.38 eq www
access-list serv_pub deny tcp any eq 5050 any
access-list serv_pub deny tcp object-group yahoo any
access-list serv_pub deny tcp any any eq 5050
access-list inside_in permit ip any
access-list inside_in deny tcp object-group yahoo
pager lines 24
logging timestamp
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.37
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location pc_adnan inside
pdm location web_srv inside
pdm location mail_srv inside
pdm location outside
pdm location yahoo outside
pdm location yahoo3 outside
pdm location yahoo1 outside
pdm location yahoo2 outside
pdm location yahoo4 outside
pdm location yahoo_all outside
pdm location outside
pdm location inside
pdm group yahoo outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.40-x.x.x.45
global (outside) 1 x.x.x.46
nat (inside) 1 0 0
static (inside,outside) x.x.x.39 web_srv netmask 0 0
static (inside,outside) x.x.x.38 mail_srv netmask 0 0
static (inside,outside) x.x.x.36 netmask 0 0
access-group serv_pub in interface outside
access-group inside_in in interface inside
route outside x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http pc_adnan inside
snmp-server host inside pc_adnan
snmp-server location XXXXXX
snmp-server contact XXXXX
snmp-server community XXXXX
snmp-server enable traps
tftp-server inside pc_adnan/firewall_config
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
: end
Question by:adnanj76
    LVL 79

    Accepted Solution

    Real quick, I can tell you that your order of access-list entries is important.
    Acls are processed top-down. In your case the permit "any" is met before the deny, so nothing will ever be denied.

    >access-list inside_in permit ip any
    >access-list inside_in deny tcp object-group yahoo

    Try reversing them, and deny source port of 5050 from getting out:
    no access-list inside_in
    access-list inside_in deny tcp object-group yahoo
    access-list inside_in deny tcp any eq 5050 any  
    access-list inside_in permit ip any
    /-- re-apply the acl after changes:
       access-group inside_in in interface inside

    As a side note, if you don't have written enforceable acceptible use policies that you can roll up and whack your users on the head when they violate the policy of no YIM/MSN use on the company network, then you will always be fighting this battle... until the first person gets fired for violating the policy. You can't solve a management/user issue with technology, you can only partially enforce and partially monitor compliance to policies. Period.

    LVL 79

    Expert Comment

    How's it going? Have you found a solution? Do you need more information?
    Can you close this question?

    Thanks for attending to this long-forgotten question.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Product Review - Android Remix

    Come along for the ride with our Senior Product Manager, Brian Matis, as he reviews the Android Remix.

    Suggested Solutions

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in theā€¦
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video discusses moving either the default database or any database to a new volume.

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now