tssiva
asked on
Blocking LogMeIn under PIX Firewall
Hi All,
How can you block LogMeIn service using Pix 506E firewall ? I am using ver 6.3.5.
Please let me know
Thanks.
How can you block LogMeIn service using Pix 506E firewall ? I am using ver 6.3.5.
Please let me know
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The easiest way would be to create a bogus dns domain for logmein.com and send all the requests coming to this domain to a non-existent ip address. Easy to manage, easily achievable.
Cheers,
Rajesh
Cheers,
Rajesh
I did some testing and found that they have at least 17 different servers setup to be gateway servers. Their DNS names are app01-app17.logmein.com. The IP addresses for these servers are not on the same network segment which makes this a little more tricky. This might not be a complete list, but you get the idea about how to perform the blocking. Here is the IP list:
63.208.197.11 app01.logmein.com
63.208.197.12 app02.logmein.com
63.208.197.13 app03.logmein.com
63.208.197.14 app04.logmein.com
63.208.197.15 app05.logmein.com
63.208.197.16 app06.logmein.com
63.209.251.17 app07.logmein.com
63.209.251.18 app08.logmein.com
63.209.251.19 app09.logmein.com
63.209.251.20 app10.logmein.com
63.209.251.21 app11.logmein.com
63.209.251.22 app12.logmein.com
63.209.251.23 app13.logmein.com
63.208.197.24 app14.logmein.com
63.208.197.25 app15.logmein.com
63.208.197.26 app16.logmein.com
63.208.197.27 app17.logmein.com
As you can see, they did not use contiguous addressing in the setup, probably to increase their uptime in case their ISP has network problems. So to block, these destination IP addresses in an outbound direction, here are the commands for a PIX firewall. These should be entered from "config" mode on the PIX.
access-list acl_out deny tcp any host 63.208.197.11 eq https
access-list acl_out deny tcp any host 63.208.197.12 eq https
access-list acl_out deny tcp any host 63.208.197.13 eq https
access-list acl_out deny tcp any host 63.208.197.14 eq https
access-list acl_out deny tcp any host 63.208.197.15 eq https
access-list acl_out deny tcp any host 63.208.197.16 eq https
access-list acl_out deny tcp any host 63.209.251.17 eq https
access-list acl_out deny tcp any host 63.209.251.18 eq https
access-list acl_out deny tcp any host 63.209.251.19 eq https
access-list acl_out deny tcp any host 63.209.251.20 eq https
access-list acl_out deny tcp any host 63.209.251.21 eq https
access-list acl_out deny tcp any host 63.209.251.22 eq https
access-list acl_out deny tcp any host 63.209.251.23 eq https
access-list acl_out deny tcp any host 63.208.197.24 eq https
access-list acl_out deny tcp any host 63.208.197.25 eq https
access-list acl_out deny tcp any host 63.208.197.26 eq https
access-list acl_out deny tcp any host 63.208.197.27 eq https
access-list permit ip any any
Then, apply this to the inside interface with the following command:
access-group acl_out in interface inside
The last statement in the above ACL is to allow all of your other Internet traffic originating from inside the network to still flow as it does now. Assuming you do not currently have an ACL applied to the inside interface, this last statement is necessary because of the implicit "deny" behavior at the end of a PIX ACL.
Be very careful when applying this ACL to the inside interface since you will now have to explicitly allow any traffic that you want to allow to the outside from your inside network because of the application of this ACL. This includes normal HTTP traffic, DNS lookups, NTP for time syncs, various ports for streaming media, etc. The last statement in the ACL should take care of all of this for you so be sure to include some sort of global "catch all" permit statement like that...otherwise you will probably have your users waiting at your door with pitch forks and torches! :-)
Hope this helps...