Solved

Blocking LogMeIn under PIX Firewall

Posted on 2006-11-01
3
11,653 Views
Last Modified: 2013-11-16
Hi All,

How can you block LogMeIn service using Pix 506E firewall ? I am using ver 6.3.5.

Please let me know

Thanks.
0
Comment
Question by:tssiva
  • 2
3 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 17855931
The LogMeIn service works by installing a client piece of software on the machine you want to remotely control which then establishes an HTTPS tunnel to a "gateway" server located on the LogMeIn network.  Without the use of content filtering software such as Websense (which has a defined protocol for LogMeIn blocking), you can manually block your internal machines from establishing the HTTPS tunnel in outbound by denying TCP 443 in an outbound direction to the pool of LogMeIn gateway server IP addresses.

I did some testing and found that they have at least 17 different servers setup to be gateway servers.  Their DNS names are app01-app17.logmein.com.  The IP addresses for these servers are not on the same network segment which makes this a little more tricky.  This might not be a complete list, but you get the idea about how to perform the blocking.  Here is the IP list:

63.208.197.11  app01.logmein.com
63.208.197.12  app02.logmein.com
63.208.197.13  app03.logmein.com
63.208.197.14  app04.logmein.com
63.208.197.15  app05.logmein.com
63.208.197.16  app06.logmein.com
63.209.251.17  app07.logmein.com
63.209.251.18  app08.logmein.com
63.209.251.19  app09.logmein.com
63.209.251.20  app10.logmein.com
63.209.251.21  app11.logmein.com
63.209.251.22  app12.logmein.com
63.209.251.23  app13.logmein.com
63.208.197.24  app14.logmein.com
63.208.197.25  app15.logmein.com
63.208.197.26  app16.logmein.com
63.208.197.27  app17.logmein.com

As you can see, they did not use contiguous addressing in the setup, probably to increase their uptime in case their ISP has network problems.  So to block, these destination IP addresses in an outbound direction, here are the commands for a PIX firewall.  These should be entered from "config" mode on the PIX.

access-list acl_out deny tcp any host 63.208.197.11 eq https
access-list acl_out deny tcp any host 63.208.197.12 eq https
access-list acl_out deny tcp any host 63.208.197.13 eq https
access-list acl_out deny tcp any host 63.208.197.14 eq https
access-list acl_out deny tcp any host 63.208.197.15 eq https
access-list acl_out deny tcp any host 63.208.197.16 eq https
access-list acl_out deny tcp any host 63.209.251.17 eq https
access-list acl_out deny tcp any host 63.209.251.18 eq https
access-list acl_out deny tcp any host 63.209.251.19 eq https
access-list acl_out deny tcp any host 63.209.251.20 eq https
access-list acl_out deny tcp any host 63.209.251.21 eq https
access-list acl_out deny tcp any host 63.209.251.22 eq https
access-list acl_out deny tcp any host 63.209.251.23 eq https
access-list acl_out deny tcp any host 63.208.197.24 eq https
access-list acl_out deny tcp any host 63.208.197.25 eq https
access-list acl_out deny tcp any host 63.208.197.26 eq https
access-list acl_out deny tcp any host 63.208.197.27 eq https
access-list permit ip any any

Then, apply this to the inside interface with the following command:

access-group acl_out in interface inside

The last statement in the above ACL is to allow all of your other Internet traffic originating from inside the network to still flow as it does now.  Assuming you do not currently have an ACL applied to the inside interface, this last statement is necessary because of the implicit "deny" behavior at the end of a PIX ACL.

Be very careful when applying this ACL to the inside interface since you will now have to explicitly allow any traffic that you want to allow to the outside from your inside network because of the application of this ACL.  This includes normal HTTP traffic, DNS lookups, NTP for time syncs, various ports for streaming media, etc.  The last statement in the ACL should take care of all of this for you so be sure to include some sort of global "catch all" permit statement like that...otherwise you will probably have your users waiting at your door with pitch forks and torches!  :-)

Hope this helps...

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17855941
Oops!  The last statement in the ACL should read:

access-list acl_out permit ip any any

I forgot to specify the name of the ACL in the previous post...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17868530
The easiest way would be to create a bogus dns domain for logmein.com and send all the requests coming to this domain to a non-existent ip address. Easy to manage, easily achievable.

Cheers,
Rajesh
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco IP Phone upgrade 3 35
Cisco 3750G swithces stack question 3 26
Cisco ASA blocks some https sites. 27 43
VTP servers with 3650 switches 5 27
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question