Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Block MSN Messenger 5 thru PIX 501
- Thread starter FCCC
- Start date
HI.
It is difficult to block this at the pix without additional servers.
The best solution is to implement some kind of content filter server.
For example, you can implement a web proxy server with content filter software, and at the pix allow only the proxy, dns, and mail servers to directly go out to the Internet.
Yizhar Hurwitz
It is difficult to block this at the pix without additional servers.
The best solution is to implement some kind of content filter server.
For example, you can implement a web proxy server with content filter software, and at the pix allow only the proxy, dns, and mail servers to directly go out to the Internet.
Yizhar Hurwitz
- Thread starter
- #3
- Thread starter
- #5
From what I gather it is free, I saw no software limitations or trial bull.
Say you install it on one machine that is always on. Suppose it's 192.168.0.1, after the proxy installation you start it up, than right click the green proxy icon on the taskbar and select configure, for Proxy Binding you enter 192.168.0.1, click everything off except for HTTP or possibly POP3 and you click OK.
Now you go to all client machines, open IE properties, connections, LAN, proxy server, you enter 192.168.0.1 and port 6588.
Now go to your firewall, close port 80 for all except for 192.168.0.1. On pix you must have an access-list limiting the outgoing connections, simply remove port 80 statement and replace it with:
access-list inside permit tcp host 192.168.0.1 any eq 80
and you're done. You'll need one for pop3 as well.
Say you install it on one machine that is always on. Suppose it's 192.168.0.1, after the proxy installation you start it up, than right click the green proxy icon on the taskbar and select configure, for Proxy Binding you enter 192.168.0.1, click everything off except for HTTP or possibly POP3 and you click OK.
Now you go to all client machines, open IE properties, connections, LAN, proxy server, you enter 192.168.0.1 and port 6588.
Now go to your firewall, close port 80 for all except for 192.168.0.1. On pix you must have an access-list limiting the outgoing connections, simply remove port 80 statement and replace it with:
access-list inside permit tcp host 192.168.0.1 any eq 80
and you're done. You'll need one for pop3 as well.
HI.
Another free or low cost solution can be made up the following:
Yizhar Hurwitz
Another free or low cost solution can be made up the following:
Yizhar Hurwitz
- Thread starter
- #8
Hi NOktar,
I have installed AnalogX proxy but I am stuck on my PIX configuration. When you said "Close Port 80", do you mean I have to disable it form "fixup" on System Properties tab?
Another question is do I need to add another inside interface with an IP address of my proxy?
Thanks again for the help.
I have installed AnalogX proxy but I am stuck on my PIX configuration. When you said "Close Port 80", do you mean I have to disable it form "fixup" on System Properties tab?
Another question is do I need to add another inside interface with an IP address of my proxy?
Thanks again for the help.
From the post above:
Now go to your firewall, close port 80 for all except for 192.168.0.1.
On pix you MUST have an ACCESS-LIST (not fixup) limiting the outgoing connections.
If you are not familiar with access-list statements this method will not work for you.
Now go to your firewall, close port 80 for all except for 192.168.0.1.
On pix you MUST have an ACCESS-LIST (not fixup) limiting the outgoing connections.
If you are not familiar with access-list statements this method will not work for you.
- Thread starter
- #10
Here is my configuration but it doesn't work. Can you please tell me what is wrong? Thanks alot.
Building configuration...
: Saved
PIX Version 6.2(2)
nameif ethernetO outside security0
nameif ethernet1 inside security100
enable password nsKAF9.P13rK11sn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name fccc.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol http 80
names
access-list inside_access_in deny tcp any any eq aol
access-list inside access in deny tcp any any eq 569
access-list inside=access_in permit ip any any
access-list inside_access_in deny tcp any any eq 1863
access-list inside access_in permit tcp host 192.168.1.12 any eq www
access-list inside=access_in permit tcp host 192.168.1.12 any eq pop3
pager lines 24
interface ethernetO 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 65.107.100.99 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.224 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside access in in interface inside
route outside 0.0.0.0 0.0.0.0 65.107.100.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 207.155.184.72 206.173.119.72
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
Building configuration...
: Saved
PIX Version 6.2(2)
nameif ethernetO outside security0
nameif ethernet1 inside security100
enable password nsKAF9.P13rK11sn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name fccc.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol http 80
names
access-list inside_access_in deny tcp any any eq aol
access-list inside access in deny tcp any any eq 569
access-list inside=access_in permit ip any any
access-list inside_access_in deny tcp any any eq 1863
access-list inside access_in permit tcp host 192.168.1.12 any eq www
access-list inside=access_in permit tcp host 192.168.1.12 any eq pop3
pager lines 24
interface ethernetO 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 65.107.100.99 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.224 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside access in in interface inside
route outside 0.0.0.0 0.0.0.0 65.107.100.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 207.155.184.72 206.173.119.72
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
- Thread starter
- #11
bwilliam13
IS-IT--Management
access-list inside=access_in permit ip any any
that line is your problem. you're permitting everything ip-related going out. you either need to remove it, or you need to explicitly DENY tcp port 80.
that line is your problem. you're permitting everything ip-related going out. you either need to remove it, or you need to explicitly DENY tcp port 80.
- Status
Similar threads
- Locked
- Question
- Locked
- Question