[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


PIX 515E configuration? to block MSN and Yahoo messenger

Posted on 2004-11-07
Medium Priority
Last Modified: 2012-06-27
Hi all,

I have a PIX 515E with PIX Version 6.3(3), a very simple 2 interface firewall, inside and outside, I was trying to block MSN(IM) access and YIM(Yahoo Instant Mesenger) and yahoo chat from the network, i tried couple of things but didn't work.

The problem that I'm facing with MSN is that works on SSL port if i block SSL port it blocks all the other important sites which uses SSL port.

With yahoo, I tried both ways, by blocking port 5050 access and also by blocking  YIM host servers but everytime I block a server it finds another server to connect, I dont know how many more servers they have there.

Please advise me the solution.

I'm attaching my firewall config below, though in some places I have (x)out the IP address for privacy. :-)


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ########### encrypted
passwd ########### encrypted
hostname fw
domain-name hyess.com
clock timezone GST 4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name pc_adnan
name mail_srv
name web_srv
name yahoo
name yahoo3
name yahoo2
name yahoo1
name yahoo4
name yahoo_all
object-group network yahoo
  network-object yahoo3
  network-object yahoo1
  network-object yahoo
  network-object yahoo2
  network-object yahoo4
  network-object yahoo_all
access-list serv_pub permit icmp any any echo-reply
access-list serv_pub permit icmp any any time-exceeded
access-list serv_pub permit icmp any any unreachable
access-list serv_pub permit tcp any host x.x.x.39 eq www
access-list serv_pub permit tcp any host x.x.x.38 eq smtp
access-list serv_pub permit tcp any host x.x.x.39 eq ftp
access-list serv_pub permit tcp any host x.x.x.38 eq pop3
access-list serv_pub permit tcp any host x.x.x.38 eq www
access-list serv_pub deny tcp any eq 5050 any
access-list serv_pub deny tcp object-group yahoo any
access-list serv_pub deny tcp any any eq 5050
access-list inside_in permit ip any
access-list inside_in deny tcp object-group yahoo
pager lines 24
logging timestamp
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.37
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location pc_adnan inside
pdm location web_srv inside
pdm location mail_srv inside
pdm location outside
pdm location yahoo outside
pdm location yahoo3 outside
pdm location yahoo1 outside
pdm location yahoo2 outside
pdm location yahoo4 outside
pdm location yahoo_all outside
pdm location outside
pdm location inside
pdm group yahoo outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.40-x.x.x.45
global (outside) 1 x.x.x.46
nat (inside) 1 0 0
static (inside,outside) x.x.x.39 web_srv netmask 0 0
static (inside,outside) x.x.x.38 mail_srv netmask 0 0
static (inside,outside) x.x.x.36 netmask 0 0
access-group serv_pub in interface outside
access-group inside_in in interface inside
route outside x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http pc_adnan inside
snmp-server host inside pc_adnan
snmp-server location XXXXXX
snmp-server contact XXXXX
snmp-server community XXXXX
snmp-server enable traps
tftp-server inside pc_adnan/firewall_config
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
: end
Question by:adnanj76
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 12517935
Real quick, I can tell you that your order of access-list entries is important.
Acls are processed top-down. In your case the permit "any" is met before the deny, so nothing will ever be denied.

>access-list inside_in permit ip any
>access-list inside_in deny tcp object-group yahoo

Try reversing them, and deny source port of 5050 from getting out:
no access-list inside_in
access-list inside_in deny tcp object-group yahoo
access-list inside_in deny tcp any eq 5050 any  
access-list inside_in permit ip any
/-- re-apply the acl after changes:
   access-group inside_in in interface inside

As a side note, if you don't have written enforceable acceptible use policies that you can roll up and whack your users on the head when they violate the policy of no YIM/MSN use on the company network, then you will always be fighting this battle... until the first person gets fired for violating the policy. You can't solve a management/user issue with technology, you can only partially enforce and partially monitor compliance to policies. Period.

LVL 79

Expert Comment

ID: 13703181
How's it going? Have you found a solution? Do you need more information?
Can you close this question?


Thanks for attending to this long-forgotten question.


Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question