Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
pix block ports for subdomain 2
- Thread starter dgoradia
- Start date
-
1
- #2
well, assuming that your requirements are truly to block http/s traffic outbound from the 192.168.0.x/24 and permit http/s traffic from the 192.168.6.x/24 then the ACL would look like this:
notice that there is an implied deny ip any any at the bottom of the ACL so any other traffic besides http/s from 192.168.6.0/24 will be denied.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
Code:
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.255.0 any eq www
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.6.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.6.0 255.255.255.0 any eq httpsI hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
in this particular case it doesn't matter for the order. you could just as easily put the permit statements first and deny statements last. the OP never came back to clarify the requirements.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
-
1
- #8
Supergrrover
IS-IT--Management
If you have a more general mask on the ACL it will block the traffic before it gets to the more specific ACL statement. On a hunch - do you have more than two subnets?
(ie - 192.168.0.0, 192.168.1.0, 192.168.2.0, etc.)
If that is the case and you want all of them blocked except the 192.168.6.0 then the order (and masking) matters
access-list inside_access_in extended permit tcp 192.168.6.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.6.0 255.255.255.0 any eq https
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.0.0 any eq www
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.0.0 any eq https
This will allow the 192.168.6.0 network and block the 192.168.0.0-255.0 supernetted network
Brent
Systems Engineer / Consultant
CCNP, CCSP
(ie - 192.168.0.0, 192.168.1.0, 192.168.2.0, etc.)
If that is the case and you want all of them blocked except the 192.168.6.0 then the order (and masking) matters
access-list inside_access_in extended permit tcp 192.168.6.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.6.0 255.255.255.0 any eq https
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.0.0 any eq www
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.0.0 any eq https
This will allow the 192.168.6.0 network and block the 192.168.0.0-255.0 supernetted network
Brent
Systems Engineer / Consultant
CCNP, CCSP
Supergrgrover, that makes sense then, so you can make catchalls for the subs.
[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal
OH YEAH!
[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal
OH YEAH!
Supergrrover
IS-IT--Management
Yes. Exactly. If you only have the .0.0 and the .6.0 networks then as long as the mask is /24 it won't matter.
Brent
Systems Engineer / Consultant
CCNP, CCSP
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #11
- Thread starter
- #12
By the way, this is exactly what i was looking for. unclerico's acl worked perfectly. Also Supergrrover gave me a little more insight into it as we do have multiple subdomains here, so i changed to Supergrrover's acl and all the subdomains were blocked. Thanks. I needed to block it for a while for some important clients.
Supergrrover
IS-IT--Management
Here you go -
Brent
Systems Engineer / Consultant
CCNP, CCSP
Brent
Systems Engineer / Consultant
CCNP, CCSP
Mjoyner
Uncle....... so first deny....... then allow?
No---they are all separate subnets---look at the mask after 192.168.0.0---it will block 192.168.0.1 through 192.168.0.254.
If 192.168.6.34 (example)comes in, the PIX will not find a match for it until the third line. Perhaps you were thinking that 192.168.0.0/16 was the requirement, in which case it WOULD block 192.168.6.34.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
Uncle....... so first deny....... then allow?
No---they are all separate subnets---look at the mask after 192.168.0.0---it will block 192.168.0.1 through 192.168.0.254.
If 192.168.6.34 (example)comes in, the PIX will not find a match for it until the third line. Perhaps you were thinking that 192.168.0.0/16 was the requirement, in which case it WOULD block 192.168.6.34.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
Hey Burt, hope your weekend was nice.
I read up on that, I learned that ACL's are a first match rule.
I see what you mean, the MASK got wider.
[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal
OH YEAH!
I read up on that, I learned that ACL's are a first match rule.
I see what you mean, the MASK got wider.
[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal
OH YEAH!
- Status
Similar threads
- Locked
- Question
- Locked
- Question