CISCO PIX 501

ahmadnaveed · ‎04-13-2005

I have a CISCO PIX 501 Configured and working fine….

All I need is to block these things for my clients

YAHOO Messenger

MSN Messenger

And also I don’t need to give www access ( Internet Browsing ) to few of my users.

But all must have access to use their outlook to send – receive their e-mails.

Possible…?? I am sure yeah it is possible..Can you tell me what commands I need to enter in my ACCESS-LIST.

jmia · ‎04-13-2005

Naveed,

To stop MSN, add the following ACL to your inside interface:

access-list inside deny tcp any any eq 1863

access-list inside deny ip any 64.4.13.0 255.255.255.0

access-list inside deny ip any 207.46.110.0 255.255.255.0

access-list inside deny ip any 207.46.203.0 255.255.255.0

access-list inside permit ip any any

access-group inside in interface inside

Not too sure for Yahoo, but try a quick search on Google and I'm sure you'll find the apporiate IP addresses/ports to block.

On your other question on limiting www access for your internal users, what you can do is the following:

access-list inside permit tcp host any eq www

...

access-list inside permit tcp host any eq www

access-list inside deny tcp any any eq www

access-list inside permit ip any any

access-group inside in interface inside

The above will control which internal user has access to the internet, this is controlled by the inside_host_ip_address, ofcourse you'll need to make sure those internal ip addresses are static and not dynamic (DHCP).

Save with write mem and also, issue clear xlate.

Hope this helps and if it does please rate post.

Regards,

Jay

Patrick Iseli · ‎04-13-2005

To block Internet access to a few internal hosts is easy.

example:

# Block access to 192.168.1.10 and 11

access-list outbound deny tcp 192.168.1.10 255.255.255.0 any eq http

access-list outbound deny tcp 192.168.1.11 255.255.255.0 any eq http

# Block MSN

access-list outbound deny tcp any any eq 1863

access-list outbound deny ip any 64.4.13.0 255.255.255.0

# Block Yahoo

access-list outbound deny tcp any any eq 5050

access-list outbound deny tcp any any eq 5100

access-list outbound deny tcp any any eq 5001

access-list outbound deny tcp any any eq 5050

# Permit all the rest

access-list outbound permit ip any any

access-group outbound in interface inside

Yahoo! Messenger Ports are:

- 5050 (outbound TCP)

- 5101 (inbound TCP)

- 5100 for webcam (TCP)

- 5001 for voice (TCP)

- For voice: cs1.yahoo.com, cs2.yahoo.com, and cs3.yahoo.com

- Yahoo will search ports 5050, 80, 20, 21, 25, 37 and 119 if 5050 is blocked

To block Yahoo and MSN messanger is quit complicate with PIX OS 6.3.x . They uses all kind of ports as http and https and even if you block some of them the will dynmicly find another port to connect to the server.

sincerely

Patrick

gjergji_abcom · ‎04-14-2005

Hi Patric

I`d like to block also this ports on my SOHO97 router.Can I do that. Does this router support it..

Can you help me with any sugestion

Thank You in Advance

Gjergji

Patrick Iseli · ‎04-14-2005

This should be possible, I have seen that the SOHO97 Router supports standard in extended ACLs.

The only thing that you have to change is to replace the access-list name by a number, lets say 101 and then add the access-list to the right interface.

sincerely

Patrick

gjergji_abcom · ‎04-15-2005

Partic,

I blocked all the ports that you sugested but yahoo and msn still connects maybe they try another port and connects through that port..

Gjergji

Patrick Iseli · ‎04-15-2005

MSN uses HTTP nd HTTPS to tunnel their traffic. This protocols cannot be inspected at the application layer with an Access-list of a Router or PIX OS 6.3.x and lower.

With PIX OS 7.0 this has changedand it is now possible to inspect the HTTP Protocol and block that kind of traffic.

Sorry but I would need a packet sniffer to analyse the traffic and to find a new way to block that.

I do not have time right now for that but will do it later, in a couple of days....???

Does anybody still has a working way to block that traffic?

sincerely

Patrick