[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

PIX 515E configuration? to block MSN and Yahoo messenger

Posted on 2004-11-07
4
Medium Priority
?
580 Views
Last Modified: 2012-06-27
Hi all,

I have a PIX 515E with PIX Version 6.3(3), a very simple 2 interface firewall, inside and outside, I was trying to block MSN(IM) access and YIM(Yahoo Instant Mesenger) and yahoo chat from the network, i tried couple of things but didn't work.

The problem that I'm facing with MSN is that works on SSL port if i block SSL port it blocks all the other important sites which uses SSL port.

With yahoo, I tried both ways, by blocking port 5050 access and also by blocking  YIM host servers but everytime I block a server it finds another server to connect, I dont know how many more servers they have there.

Please advise me the solution.

I'm attaching my firewall config below, though in some places I have (x)out the IP address for privacy. :-)

==================

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ########### encrypted
passwd ########### encrypted
hostname fw
domain-name hyess.com
clock timezone GST 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.10 pc_adnan
name 192.168.1.30 mail_srv
name 192.168.1.15 web_srv
name 216.155.193.177 yahoo
name 216.136.227.21 yahoo3
name 216.155.193.178 yahoo2
name 216.155.193.139 yahoo1
name 216.155.193.153 yahoo4
name 216.155.193.0 yahoo_all
object-group network yahoo
  network-object yahoo3 255.255.255.255
  network-object yahoo1 255.255.255.255
  network-object yahoo 255.255.255.255
  network-object yahoo2 255.255.255.255
  network-object yahoo4 255.255.255.255
  network-object yahoo_all 255.255.255.0
  network-object 216.155.193.186 255.255.255.255
access-list serv_pub permit icmp any any echo-reply
access-list serv_pub permit icmp any any time-exceeded
access-list serv_pub permit icmp any any unreachable
access-list serv_pub permit tcp any host x.x.x.39 eq www
access-list serv_pub permit tcp any host x.x.x.38 eq smtp
access-list serv_pub permit tcp any host x.x.x.39 eq ftp
access-list serv_pub permit tcp any host x.x.x.38 eq pop3
access-list serv_pub permit tcp any host x.x.x.38 eq www
access-list serv_pub deny tcp any eq 5050 any
access-list serv_pub deny tcp object-group yahoo any
access-list serv_pub deny tcp any any eq 5050
access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_in deny tcp 192.168.1.0 255.255.255.0 object-group yahoo
pager lines 24
logging timestamp
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.37 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location pc_adnan 255.255.255.255 inside
pdm location web_srv 255.255.255.255 inside
pdm location mail_srv 255.255.255.255 inside
pdm location 195.229.172.15 255.255.255.255 outside
pdm location yahoo 255.255.255.255 outside
pdm location yahoo3 255.255.255.255 outside
pdm location yahoo1 255.255.255.255 outside
pdm location yahoo2 255.255.255.255 outside
pdm location yahoo4 255.255.255.255 outside
pdm location yahoo_all 255.255.255.0 outside
pdm location 216.155.193.186 255.255.255.255 outside
pdm location 192.168.1.4 255.255.255.255 inside
pdm group yahoo outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.40-x.x.x.45
global (outside) 1 x.x.x.46
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.39 web_srv netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.38 mail_srv netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.36 192.168.1.4 netmask 255.255.255.255 0 0
access-group serv_pub in interface outside
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http pc_adnan 255.255.255.255 inside
snmp-server host inside pc_adnan
snmp-server location XXXXXX
snmp-server contact XXXXX
snmp-server community XXXXX
snmp-server enable traps
tftp-server inside pc_adnan/firewall_config
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
: end
[OK]
0
Comment
Question by:adnanj76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 12517935
Real quick, I can tell you that your order of access-list entries is important.
Acls are processed top-down. In your case the permit "any" is met before the deny, so nothing will ever be denied.

>access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
>access-list inside_in deny tcp 192.168.1.0 255.255.255.0 object-group yahoo

Try reversing them, and deny source port of 5050 from getting out:
no access-list inside_in
access-list inside_in deny tcp 192.168.1.0 255.255.255.0 object-group yahoo
access-list inside_in deny tcp any eq 5050 any  
access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
/-- re-apply the acl after changes:
   access-group inside_in in interface inside


As a side note, if you don't have written enforceable acceptible use policies that you can roll up and whack your users on the head when they violate the policy of no YIM/MSN use on the company network, then you will always be fighting this battle... until the first person gets fired for violating the policy. You can't solve a management/user issue with technology, you can only partially enforce and partially monitor compliance to policies. Period.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13703181
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question