Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 534
  • Last Modified:

Configure PIX for deny a internal IP access Internet

Hi, there,
I'm configuring a PIX firewall, I need to block all outgoing traffic on a machine the ip is 192.168.5.115. here is the brief configuration:

access-list 155 permit tcp host 192.168.4.249 any eq smtp
access-list 155 deny tcp any any eq smtp
access-list 155 deny ip host 192.168.5.115 any
access-list 155 permit ip any any


access-group 155 in interface inside


But that computer seems still be able to access internet, what's wrong with the configuration?
Thank you very much!
Jack
0
urbuddy
Asked:
urbuddy
1 Solution
 
palinitrCommented:
This may seem like a daft question, but is the machine going through a proxy for its internat access ? that would then explain why it can still access the internet.
0
 
urbuddyAuthor Commented:
Palinitr: thanks for the response.
I have a PIX firewall that handles the Internet access for the  whole network. There is no proxy server. The pix is the only device that connected to the T1 Router.
I omitted the rest configurations of the PIX, only posted the related part of it.  
Actually I think only these 3 commands should do the work:

access-list 155 deny ip host 192.168.5.115 any
access-list 155 permit ip any any
.......
access-group 155 in interface inside
But the 192.168.5.115 still can access Internet.

The PIX internal ip is 192.168.4.1, it connects to a router that another side of the router is 192.168.5.X
Here is the configuration:
 :
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ssssssssss encrypted
passwd ssssssssss encrypted
hostname zzz
domain-name xyz.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 100 permit ip 192.168.4.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list 130 permit ip 192.168.4.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 140 permit ip 192.168.4.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 110 permit tcp any host x.x.x.194 eq pop3
access-list 110 permit tcp any host x.x.x.194 eq https
access-list 110 permit tcp any host x.x.x.194 eq 3389
access-list 110 permit tcp any host x.x.x.194 eq 4000
access-list 110 permit tcp any host x.x.x.194 eq 5222
access-list 110 permit tcp any host x.x.x.194 eq ftp
access-list 110 permit tcp any host x.x.x.194 eq 4002
access-list 110 permit tcp any host x.x.x.194 eq 4136
access-list 110 permit tcp any host x.x.x.194 eq 3391
access-list 110 deny ip x.104.0.0 255.252.0.0 host x.x.x.194
access-list 110 deny ip x.180.0.0 255.255.0.0 host x.x.x.194
access-list 110 deny ip x.181.0.0 255.255.0.0 host x.x.x.194
access-list 110 permit tcp any host x.x.x.194 eq 5000
access-list 110 deny tcp any any eq pop3
access-list 110 permit tcp any host x.x.x.194 eq 4200
access-list 110 permit tcp any host x.x.x.194 eq 5002
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any source-quench
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit tcp any host x.x.x.196 eq www
access-list 110 permit tcp any host x.x.x.196 eq imap4
access-list 110 permit tcp Y.Y.Y.0 255.255.255.0 host x.x.x.196 eq smtp

access-list 110 deny tcp any any eq smtp
access-list 110 permit tcp any host x.x.x.194 eq 6000
access-list 199 permit ip any 192.168.99.0 255.255.255.0
access-list split permit ip 192.168.4.0 255.255.255.0 any
access-list split permit ip 192.168.5.0 255.255.255.0 any
access-list 150 permit ip 192.168.4.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 160 permit ip 192.168.4.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 111 permit tcp host 192.168.4.251 any eq smtp
access-list 111 permit tcp host 192.168.5.104 any eq smtp
access-list 111 permit tcp host 192.168.5.104 any eq pop3
access-list 111 permit ip any any
access-list 155 permit tcp host 192.168.4.249 any eq smtp
access-list 155 deny tcp any any eq smtp
access-list 155 deny ip host 192.168.5.115 any
access-list 155 permit ip any any
pager lines 24
logging on
logging console debugging
logging trap debugging
logging history debugging
logging host inside 192.168.4.240
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.194 255.255.255.248
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.99.1-192.168.99.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 192.168.4.251 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.4.251 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4000 192.168.4.200 4000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5222 192.168.4.248 5222 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.4.248 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4136 192.168.4.136 4136 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5000 192.168.4.240 5000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.4.253 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4200 192.168.4.248 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4002 192.168.4.100 4002 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5002 192.168.5.122 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6000 192.168.4.252 3389 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.196 192.168.4.249 netmask 255.255.255.255 0 0
access-group 110 in interface outside
access-group 155 in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route inside 192.168.5.0 255.255.255.0 192.168.4.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
.......
.......
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd ping_timeout 750
terminal width 80

: end

Thank you very much!
0
 
palinitrCommented:
Wont the following give the IP address 192.168.5.115 full access to anywhere ?

access-list split permit ip 192.168.5.0 255.255.255.0 any
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
urbuddyAuthor Commented:
You are right, I can not tell where was that statement from. Seems like some old configuration for VPN  left over.
I could not find the the "split" anywhere else in the configuration, the is no "Access Group" associated with it. I think it's just a "dead statement". Am I right?
Thanks!
0
 
palinitrCommented:
Yeah I think your right, I can't see any reason why it's in there.
0
 
Texas_BillyCommented:
Sounds like you still have a translation in the PIX xlation table.  Log into your pix, and do a "clear xlate local", then a "clear arp".  You won't have to reboot the pix, and your users won't have any interruption.

You're waiting on an arp timeout, which has a default value of 8 hours.  This host could be doing any number of things to keep resetting that until you manually wipe out the translation table.  --TX
0
 
urbuddyAuthor Commented:
TX,
I think you are right. I changed the PIX yesterday, and looks like the PIX is doing its work now, no traffic from that node to Internet. obviously, it's been 24 hours now :-)
I will double check to see if the internet access from that computer was shutdown by the user or by the PIX, I will let you know.
Thank you very much!
0
 
Feroz AhmedSenior Network EngineerCommented:
Hi ,

To deny all traffic to that particular System with the ip  192.168.5.115 one should configure access-list as below :

ASA(Config t)#access-list 155 deny icmp 192.168.5.115 any any echo-reply
0
 
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now