Building Access-List

[trent1980]

are access-list the best way to go for denying and permitting packets. my boss has requested we block our users from authenticating to Aol or Msn messenger. the problem is that we have a large amount of "conduits" to allow access through our dmz, inside and outside. i tried to replace them all with access-list but i run in to problems. if our inside was 192.168.1.*, our dmz was 192.168.2.0, and our outside was 4.4.4.0/24 -- what would be a set of acls to set up to allow web traffic in to a statically mapped dmz address, but allow all servers in the dmz to access the internet. i seem to have trouble distinguishing what you are letting in versus what you are letting out. i need clarification on whether acls are blocking/permitting outgoing or incoming traffic

thanks,
trent --

if you want current configs or configs that i've tried, please let me know-

 

[haknwak]

trent1980 - you mentioned "...block our users from authenticating to Aol or Msn messenger"

First off, I don't think you'll blick messaging and instant messaging with PIX alone. The providers have dozens of servers that change addresses regularly. Not to mention they all failover to port 80 so unless you want to stop all web traffic you're out of luck blocking ports.

You need a content blocking product that will do URL blocking.

And second - yes, access-lists are the way to go - because conduits are really not supported by Cisco anymore. However combining conduits and access-lists is tough. I'd recommend sticking with conduits until you can phase them out. I reconfigured by PIX over a period of time to eliminate them.

Interested to see if you have success. I tried it a year or so ago - built massive lists of all blocks ip IP addresses and servernames/addresses. Unfortunately you'll end up blocking the President's access to his stock reports or business news feeds at the same time. "If you lived here, you'd be home by now!"

George Carlin

 

[haknwak]

trent1980 - sorry I neglected to mention the product - I think Cisco supports Websense as their content filter.

http://www.websense.com/

"If you lived here, you'd be home by now!"

George Carlin

 

[trent1980]

thanks for the replies -- my access lists work fine for the inside and outside ... but i run in to problems with my dmz. we have the security set on the interfaces and i like letting that control access through the networks. i don't want to run any conduits because it doesn't allow anything but logging when i use the PDM until i get rid of the conduits. i thought i had it all worked out with the open ports from dmz to inside, but then it turned out that they didn't have internet access and all hell broke lose. if i add "access-list acl_dmz permit ip any any" to the dmz, does that give every box in the dmz permission to both the internet/outside and the inside? if i put "access-list acl_outside permit ip any any"(applied to oustide) it allows all access back in to my network from the nat'd outside address. seems like the access-list take precedence over the interface security, which seems lame to me. if you know any how-to's or reading on "access-lists" with cisco pix 520 running IOS 6.0(1), please let me know - if you want my configs, let me know and i'll email them to you or post them ---
thanks again,
Trent

 

[haknwak]

trent1980 I posted this over on an earlier post and it looks like just what oyu need - What does Cisco mean by "In" and "out" an interface. Maybe I'll just make it an FAQ. Even though PIX does not support the "out" option, oit really helped me when I was figuring it out:

Oh - just replace the work "router" wiht the word PIX.

good read on building ACL - remember this is for routers but the logic holds truw where it defines "in" and "out".

http://www.cisco.com/warp/customer/707/confaccesslists.html#masks

(you need a CCO login to see it.)

"Applying ACLs
You can define ACLs without applying them. However, the ACLs will have no effect until they are applied to the router's interface. It is a good practice to apply the ACL on the interface closest to the source of the traffic. As shown in the example below, when you are trying to block traffic from source to destination, you can apply an inbound ACL to E0 on router A instead of an outbound list to E1 on router C.



Defining In, Out, Source, and Destination
The terms "in", "out", "source", and "destination" are used as referenced by the router. Traffic on the router could be compared to traffic on the highway. If you were a law enforcement officer in Pennsylvania and wanted to stop a truck going from Maryland to New York, the truck's source would be Maryland and the truck's destination would be New York. The roadblock could be applied at the Pennsylvania–New York border ("out&quot or the Maryland–Pennsylvania border ("in&quot.

When referring to a router, these terms have the following meanings.

Out - Traffic that has already been through the router and is leaving the interface; the source would be where it's been (on the other side of the router) and the destination is where it's going.

In - Traffic that is arriving on the interface and which will go through the router; the source would be where it's been and the destination is where it's going (on the other side of the router).
The "in" ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The "out" ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied."

"If you lived here, you'd be home by now!"

George Carlin