Hi All,

attached is our config file of PIX.515. I have few question in regard

of its configuration and I will appreciate if any of you can answer my

questions.

1. I need to block internal users from using any chatting software

please advice what do I need to change in attached config file to

accomplish that task.

I have tried outbound as mentioned but after that users unable to even do the web browsing.

no outbound 10 permit 0.0.0.0 0.0.0.0 80 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 43 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 23 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 25 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 119 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 42 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 101 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 53 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 21 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 7 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 109 ip

no outbound 10 permit 0.0.0.0 0.0.0.0 110 ip

no outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp

no outbound 10 deny 0.0.0.0 0.0.0.0 0 udp

apply (inside) 10 outgoing_src

2. I need to give telnet access of 64.10.40.12 to one of our other

office IP 194.130.202.112 , but non of outside users are able to ping

any of our public IP ( how to address this).

3. Logging is on, with the help of it, how can I check who is using

chatting softwares

Thanks for your kind support.

Khurram

++++++++++++++++++++++++++++++++++++++++++

PIX CONFIG FILE

++++++++++++++++++++++++++++++++++++++++++

: Saved

:

PIX Version 6.1(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password bkB69Zn7sh6SWZqa encrypted

passwd EKUPXpZg1IQ31tB5 encrypted

hostname XXX-FW

domain-name XXX.XXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit tcp any host 64.10.40.14 eq smtp

access-list 101 permit tcp any host 64.10.40.14 eq www

access-list 101 permit tcp any host 64.10.40.14 eq pop3

access-list 101 permit tcp any host 64.10.40.14 eq 6000

access-list 101 permit tcp 194.130.202.112 255.255.255.240 host

64.10.40.12 e

q telnet

access-list 101 permit tcp 174.130.202.112 255.255.255.240 host

64.10.40.12 e

q ftp

pager lines 24

logging on

logging timestamp

logging monitor informational

logging buffered informational

logging trap informational

logging history informational

logging queue 4096

logging host inside 180.155.75.131

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 64.10.40.10 255.255.255.248

ip address inside 180.155.75.120 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 600

global (outside) 1 64.10.40.13

global (outside) 1 64.10.40.11

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 64.10.40.14 180.155.75.153 netmask

255.255.255.255 0

0

static (inside,outside) 64.10.40.12 180.155.75.200 netmask

255.255.255.255 0

0

access-group 101 in interface outside

conduit permit icmp any any echo-reply

conduit permit icmp any any unreachable

conduit permit icmp any any source-quench

conduit permit tcp any any eq www

route outside 0.0.0.0 0.0.0.0 64.10.40.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 180.155.75.120 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 180.155.75.21 C:\tftp-root

floodguard enable

no sysopt route dnat

telnet 180.155.75.131 255.255.255.255 inside

telnet 180.155.75.142 255.255.255.255 inside

telnet timeout 15

ssh timeout 5

terminal width 80