permit some connections and deny others

[tomim]

Hi, i defined some rules for the PIX 501 to permit only this
connections :
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq ftp-data
access-list inbound permit tcp any any eq ftp
access-list inbound permit tcp any any eq 5800
access-list inbound permit udp any any eq 5800
access-list inbound permit udp any any eq 5900
access-list inbound permit tcp any any eq 5900
access-list inbound permit tcp any any eq https


I will now deny all other outgoing and incoming connections, for instance voip, smtp a.s.o.
i defined this two rules for incomings, but it does not effect and i dont know how it should be for outgoing connections!
access-list inbound deny tcp any any
access-list inbound deny udp any any
???
What i do wrong?
thanks

 

[DanInRaleigh]

tomim,
did you get this squared away?

put this at the bottom of the "inbound" access-list
..will deny everything else..


access-list inbound deny ip any any

http://www.daniel-white.com

 

[tomim]

Hi Dan, i execute your command, access-list inbound deny ip any any and create a new deny rule at the end of my rules, but the seult is the same, i see that it has no effect!For instance my internet Call, skype and so on still has access to outside and become data frome there!!

Maybe i make some mistake in the configuration!! But i' have no more rule apart from those rules which you see in my config file! any other idea???

 

[DanInRaleigh]

reverse the access-list

access-list outbound permit xxx
access-list outbound deny xxx

#fastethernet 0/0
access-group outbound out

..then your unwanted outbound connections should stop...

http://www.daniel-white.com

 

[horus42]

Did you associate these rules with the interfaces?

 

[br0ck]

There are some things to consider when locking down traffic line this.
1. you will need some hosts to have access to the internet for the following reasons
a. Name resolution (DNS)
b. Some users need access to websites
c. You boss is going to ask to have unrestricted internet
d. You need to get vendor updates for your servers and PCs

Here is what has worked for me

First create some object groups:
Below I create 4 basic object groups the first 2 are going to be websites that everyone needs to get to (you might have a web based app that users use)
The 3rd one is a designation of IPs that you want to have unrestricted access to the internet.
The 4th just defines your internal subnet

object-group network website_A
  description websitea.com IP Addresses
  network-object 66.66.66.0 255.255.255.0

object-group network website_B
  description websiteb.com IP Addresses
  network-object 77.77.77.0 255.255.255.0

object-group network WWW
  description Unrestricted [URL unfurl="true"]WWW Access[/URL]
  network-object host [INSIDE_IP1]
  network-object host [INSIDE_IP2]
  network-object host [INSIDE_IP3]
  network-object host [INSIDE_IP4]
  network-object host [INSIDE_IP5]
  network-object host [INSIDE_IP6]
  network-object host [INSIDE_IP7]

object-group network LAN
  description All hosts on the 192.168.0.0/24 subnet
  network-object 192.168.0.0 255.255.0.0

Ok with the that created now you want to apply the object groups you created to ACL that will govern the traffic

The first one allows that group of IPs in the

http://www object

group access to the internet
(this will most likely be servers, IT Staff and the boss)

The second is permitting the subnet access to website_A (NOTE: to get the ip’s of WEBSITE_A do a dns lookup on then like

http://www.dnsstuff.com

and use their DNS lookup tool enter

http://www.SITE_A.com

and this will return the ip range that they are hasting the

http://www server

on.

The third is the same as the second just a different website
(NOTE: you can make one object for al sites allowed or one for each your choice)

And lastly deny everything else!

access-list outbound remark |Unrestricted internet access hosts|
access-list outbound permit ip object-group [URL unfurl="true"]WWW any[/URL]

access-list outbound remark |Allows all hosts access to website_A hosts|
access-list outbound permit ip object-group LAN object-group website_A

access-list outbound remark |Allows all hosts access to website_B hosts|
access-list outbound permit ip object-group LAN object-group website_B

access-list outbound deny ip any any

I use object group based ACLs because adding and removing permitted traffic and hosts is faster and cleaner that individual ACL lines


Now we apply to an interface (the inside)

Access-group outbound in interface inside

hope this helps!

 

[tomim]

hi guys, thanke you for your posting. I 'm todya back to my workplace and could test your recomanstdation. unfourtunately
the rule access-list outbound deny ip any any has no effecton on my network. My application like yahooo messanger, voip and so on has just connection to the outside and become data from outside.
I post once again the rules which i have in my acces-list hope that somebody see what i do wrong here!
Here is my access list:

access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq ftp-data
access-list inbound permit tcp any any eq ftp
access-list inbound permit tcp any any eq 5800
access-list inbound permit udp any any eq 5800
access-list inbound permit udp any any eq 5900
access-list inbound permit tcp any any eq 5900
access-list inbound permit tcp any any eq https
access-list inbound deny tcp any any
access-list inbound deny udp any any
access-list outbound deny tcp any any
access-list outbound deny udp any any
access-list outbound deny ip any any
logging device-id ipaddress inside
icmp permit host 192.168.1.12 inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface

http://www 192.168.1.12

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.1.12 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.12 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5800 192.168.1.12 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 192.168.1.12 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5900 192.168.1.12 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5800 192.168.1.12 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.12 https netmask 255.255.255.255 0 0
access-group inbound in interface outside

 

[br0ck]

tomim,

3 things

1. keep in mind that applications like messengers and (VoIP) like Skype are dynamic they will look for an open port if the standard port is not available. You will need a device that can enforce policy higher in the OSI layers (application layer)
i hear ver 7 has that ability you can also look at a device like Cymphonix to work in tandem with he firewall

http://www.miamiitsupport.com/cymphonix.shtml

2. are you applying the access-list outbound to an interface?

Access-group outbound in interface inside

3. the access-list outbound you have will block any and all traffic out to the internet for all hosts. You might as well turn off the internet router


Please reread my original post above.

 

[DanInRaleigh]

also,
...check into nbar

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfnbar.htm

http://www.daniel-white.com

 

[tomim]

Brock,
The problem is that your configuration is based on IP or certain URL. What i will is open only some certain ports and
close all others for all hosts.
My router between the server and the LAN will be used to let access only to the lotus notes and vnc service which are
tcp ports 5800,5900 and tcp/udp port 1352.

thanks