PIX newbie

[mot98]

Hi All,

Very new to configuring PIX. We are running a Cisco PIX 515.

I have been asked to deny internet access to a range of IP addresses on the PIX.

I can telnet into the PIX, but I am at a loss as to how to correctly deny these addresses.

I read some info on Access lists, but don't know the command line syntax to correctly do this.

Any help would be greatly appreciated.

Thanks,
mot98


"Every day I learn something new, and forget 10 things I learned long ago!"

 

[gbiello]

The easiest way to allow/deny Internet access is with nat/global statements. For instance if you have a full class C private subnet, 192.168.1.x, the following example would allow .1-.127 access to the Internet, and not .128-.254

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.128

If you use access-lists you need to be very careful because of the implicit 'deny any any' at the end. Typically this is countered by a 'permit any any', but that would leave your network wide open. Thus you need to permit everything you want to allow, and they leave the implicit 'deny any any' to block everything else. I'd recommend the nat/global method instead.

-gbiello

 

[yizhar]

HI.

What version of pix OS?
Do you have PDM?
How many internal hosts?
How many internal hosts should have internet access?
How many internal hosts should not have internet access?
Do they belong to a common subnet, or random ip addresses?
How many internal subnets?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[mot98]

Thanks for your posts.

gbiello,

I am attempting to block a range of IP addresses on our subnet from accessing the internet. The range is 192.168.50.200 - 192.168.50.220, all other IP ranged 192.168.50.0-192.168.50.199 and 192.168.50.221-192.168.50.224 need access.

What would be the command to do this?

Thanks,

mot98


"Every day I learn something new, and forget 10 things I learned long ago!"

 

[yizhar]

HI.

I would use access-list in your case.
If you can change ip addressing so that you can group the addresses using a single subnet mask of 16 or 32 addresses it can be simpler, but the following should do for your current addressing scheme:

access-list frominside deny ip 192.168.50.200 255.255.255.248 any
access-list frominside deny ip 192.168.50.208 255.255.255.248 any
access-list frominside deny ip 192.168.50.216 255.255.255.252 any
access-list frominside deny ip 192.168.50.220 255.255.255.255 any
access-list frominside permit ip any any
access-group frominside in interface inside

You didn't mention what pix version you have - if it is ver 6.2 with PDM 2.x you can use the new grouping features of it for easier management.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[mot98]

Hi All,

Still testing this out.

I setup a test sytem with the IP address of 192.168.50.200

I then went into the PIX and added the following line.

access-list acl_out deny tcp any host 192.168.50.200

however I am still able to connect to the internet???

What did I do wrong here?

mot98


"Every day I learn something new, and forget 10 things I learned long ago!"

 

[yizhar]

HI.

What is your pix os version?

The pix is a stateful firewall.
Traffic for session initiated from the inside will be allowed to come back from the outside.

You need to read more about the pix, then it would be much easier.

Try the following links:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/overvw.htm

http://www.cisco.com/warp/public/707/28.html

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar