Preventing Internet access for a group of users 1

[Gufs99]

Hi All,

I've been tasked with setting up a customer so that a group of 5 POS machines cannot access the internet but access local LAN resources. There are 5 other machines that need access to the internet and local LAN resources. I have a Pix 501, W2K3 Proliant ML350 Server, and a Cisco Catalyst 2960 switch to work with. I can change any of the configs, but I can't add any new hardware. I'd rather not do routing on the server unless I have to.

Since the 2960 isn't a layer 3 switch I can't do any layer 3 routing on the switch. The Pix 501 doesn't support VLANS.

The Pix's 1st inside interface is 192.168.1.1.

My idea was to assign the 5 POS PC's with a 192.168.2.x address via DHCP reservations from the W2K3 server. I would point those boxes to a default gateway of 192.168.2.1.

On the 2960 I was thinking of setting up a VLAN to segregate that traffic and have a trunk port going to a second interface on the Pix which would be addressed as 192.168.2.1.

Then on the Pix I could create the inside route routing the 192.168.2.x traffic to 192.168.1.1. An access list would prevent the 192.168.2.x traffic from going out the external interface and out to the internet.

Will this work? Any other suggestions?

Sounds like a test question huh?

Thanks in advance!

Jake

 

[LarryTheCucumber]

Why not just set static addresses on all machines, deny all access on the PIX and then allow the ones that need access?

 

[Gufs99]

I'd rather manage the IP's from DHCP. Plus if I can, I'd like to prevent the kids that are using those machines from being sneaky and just changing the IP to access the internet. They've had problems before with these machines.

 

[Supergrrover]

What you are proposing will not work. The pix 6x code will not send traffic out the same interface that it came in on.

1. If the POS machines only need to access the server, then you could give those machines a different subnet and put a secondary IP on the server NIC.

2. You can/should lock down those POS boxes so that they can't change anything on the system.

3. Put an IT policy in place that states the rules and penalties for breaking them and have everyone sign it.

4. w2k3 DHCP server cna assign/reserve IP by MAC address. You can do as Larry points out, but without 2 & 3, this can be circumvented (there are ways to change the MAC as well, but it isn't as easy.)

Short of RRAS on the server, that's it I'm afraid. I would go for new equipment. The 506e has the ability for DMZ and the ASA5505 has much more capability than that. You need the right tools. You can't turn a screw with a hammer.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[br0ck]

[this is a copy of another post of mine but it fits your situation]

There are some things to consider when locking down traffic line this.
1. you will need some hosts to have access to the internet for the following reasons
a. Name resolution (DNS)
b. Some users need access to websites
c. You boss is going to ask to have unrestricted internet
d. You need to get vendor updates for your servers and PCs

Here is what has worked for me

First create some object groups:
Below I create 4 basic object groups the first 2 are going to be websites that everyone needs to get to (you might have a web based app that users use)
The 3rd one is a designation of IPs that you want to have unrestricted access to the internet.
The 4th just defines your internal subnet

object-group network website_A
  description websitea.com IP Addresses
  network-object 66.66.66.0 255.255.255.0

object-group network website_B
  description websiteb.com IP Addresses
  network-object 77.77.77.0 255.255.255.0

object-group network WWW
  description Unrestricted [URL unfurl="true"]WWW Access[/URL]
  network-object host [INSIDE_IP1]
  network-object host [INSIDE_IP2]
  network-object host [INSIDE_IP3]
  network-object host [INSIDE_IP4]
  network-object host [INSIDE_IP5]
  network-object host [INSIDE_IP6]
  network-object host [INSIDE_IP7]

object-group network LAN
  description All hosts on the 192.168.0.0/24 subnet
  network-object 192.168.0.0 255.255.0.0

Ok with the that created now you want to apply the object groups you created to ACL that will govern the traffic

The first one allows that group of IPs in the

http://www object

group access to the internet
(this will most likely be servers, IT Staff and the boss)

The second is permitting the subnet access to website_A (NOTE: to get the ip’s of WEBSITE_A do a dns lookup on then like

http://www.dnsstuff.com

and use their DNS lookup tool enter

http://www.SITE_A.com

and this will return the ip range that they are hasting the

http://www server

on.

The third is the same as the second just a different website
(NOTE: you can make one object for al sites allowed or one for each your choice)

And lastly deny everything else!

access-list outbound remark |Unrestricted internet access hosts|
access-list outbound permit ip object-group [URL unfurl="true"]WWW any[/URL]

access-list outbound remark |Allows all hosts access to website_A hosts|
access-list outbound permit ip object-group LAN object-group website_A

access-list outbound remark |Allows all hosts access to website_B hosts|
access-list outbound permit ip object-group LAN object-group website_B

access-list outbound deny ip any any

I use object group based ACLs because adding and removing permitted traffic and hosts is faster and cleaner that individual ACL lines


Now we apply to an interface (the inside)

Access-group outbound in interface inside

 

[br0ck]

Omit if not needed

object-group network website_A
  description websitea.com IP Addresses
  network-object 66.66.66.0 255.255.255.0

object-group network website_B
  description websiteb.com IP Addresses
  network-object 77.77.77.0 255.255.255.0

access-list outbound remark |Allows all hosts access to website_A hosts|
access-list outbound permit ip object-group LAN object-group website_A

access-list outbound remark |Allows all hosts access to website_B hosts|
access-list outbound permit ip object-group LAN object-group website_B

Limit the object-group network

http://WWW to

one host (the server
192.168.1.2 for example)

object-group network WWW
  description Unrestricted [URL unfurl="true"]WWW Access[/URL]
  network-object host 192.168.1.2

Set the dhcp range to be 192.168.1.3 to 192.168.1.20 or so

Now if they change the ip the only open host IP is the server and it is already taken



sorry for the double post!

hope that helps!

 

[Gufs99]

With a few modifications, that just might do the trick! Thanks! I forgot that Object-Groups are supported in the 6.3(5) code. I was thinking that was a 7.0 and above.

Unfortunately this client had a small budget and this was the only hardware we could do. The 3550 switch was out of his price range as was the ASA 5510. The 5505's aren't shipping yet unfortunately. I didn't think of RRAS on the W2K3 server until now and it's only got one NIC. I don't want to go back and ask him to buy another one (although I guess we could eat that small cost)

The POS boxes will be locked down with group policy, but the customer was concerned with these clowns figuring out the IP scheme and changing the IP to one that was allowed. The office PC's will have full access to the internet. The POS boxes will get updates via WSUS and Trend on the server. No internet access is needed for those boxes.

I'll check back later today to let you know if it worked.

Jake

 

[Supergrrover]

The problem is that they could still change the IP of the box and gain internet access.

You can setup AAA to vaildate all web traffic outbound

http://www.cisco.com/en/US/products...s_configuration_example09186a00807349e7.shtml

and have your 2003 server act as the radius server (you can also have it vaildate against Active Directory.)

http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Gufs99]

Good idea, but IAS isn't an option in this case due to budget.

Yes, they could change their IP, but to what? With the access list in place to allow those specific IP's and denying the rest, how could they get out? The only IP's that have access would be in use!

 

[Supergrrover]

Internet Authentication Service (IAS) is built into W2003/2000 standard server. It uses RADIUS and is under Networking Services in the Windows components.

You had asked for a solution that would account for the sneaky kids changing the ip. If you lock down the pc properly that won't be an issue, but access-lists don't mitigate that. If they could change the ip, nothing stops them from changing the IP so that there is a duplicate ip on the network. Results are intermittent for both machines, but it can work and what if the legitimate machine using that ip is off.

Just trying to fulfill the request as stated.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Gufs99]

Thank you for the follow up. You are right, IAS is an option. When I wrote the reply, I was thinking ISA not IAS in my head. Sorry about the dyslexia!

After reading the suggestions here, I've thought it over and I'm thinking of sticking with the Pix access lists solution. Only because it'd be easier for these kids to get a username/password from another co-worker to access the internet, than it would to change the IP on a locked down PC.

I could do a combination of the two as well, but I think that would be overkill. At that point it's the client's responsibility to have a policy in place.

You guys have been a HUGE help! Thanks!