03-20-2003 06:26 AM - edited 03-09-2019 02:35 AM
I have the following access lists on my pix 6.2
access-list acl_in deny tcp any any eq 1863 (hitcnt=0)
access-list acl_in deny udp any any eq 1863 (hitcnt=0)
access-list acl_in deny ip any 64.4.13.0 255.255.255.0 (hitcnt=0)
access-list acl_in deny ip any 64.4.0.0 255.255.0.0 (hitcnt=0)
access-list acl_in deny udp any any eq 5190 (hitcnt=0)
access-list acl_in deny udp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq aol (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.153 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.53 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.185 (hitcnt=0)
access-list acl_in deny ip any host 216.136.233.128 (hitcnt=0)
access-list acl_in deny ip any host 216.136.224.142 (hitcnt=0)
access-list acl_in deny ip any host 216.136.225.238 (hitcnt=0)
access-list acl_out deny udp host 64.12.13.0 any
access-list acl_out deny udp any any eq 5190
access-list acl_out deny udp any any eq 1863
access-list acl_out deny tcp any any eq 1863
access-list acl_out deny udp any any eq 4000
access-list acl_out deny tcp any any eq 4000
access-list acl_out deny ip 64.4.13.0 255.255.255.0 any
access-list acl_out deny ip 64.4.0.0 255.255.0.0 any
access-list acl_out deny ip host 64.12.161.153 any
access-list acl_out deny ip host 64.12.161.53 any
access-list acl_out deny ip host 64.12.161.185 any
access-list acl_out deny ip host 216.136.233.128 any
access-list acl_out deny ip host 216.136.224.142 any
access-list acl_out deny ip host 216.136.225.238 any
But, I am not able to block eitehr yahoo messenger, msn messenger, AOL messenger or ICQ. Why so??
The ip addresses above are for the following IP hosts
cs.yahoo.com 216.136.233.128
scsa.yahoo.com 216.136.224.142
msg.edit.yahoo.com 216.136.225.238
msn
IP Range 64.4.13.0/24 or 64.4.0.0. - 64.4.63.255
03-20-2003 11:52 PM
Hi there,
the access-lists are not complete are they? So where are your access-list permit statement placed? At the beginning or at the end of your acls? Did you bind the acls inwards to the interfaces? Perhaps it is possible to post a bit more of your config here.
Kind regards
Norbert
03-21-2003 05:42 AM
Pix-Admin1# show access-list
access-list acl_in;
access-list acl_in permit icmp any any 47 (hitcnt=0)
access-list acl_in deny ip host latoya any (hitcnt=0)
access-list acl_in deny ip any send4fun 255.255.255.0 (hitcnt=1251)
access-list acl_in deny ip any host 65.121.237.200 (hitcnt=91)
access-list acl_in permit tcp any any eq www (hitcnt=71610)
access-list acl_in permit tcp any any eq smtp (hitcnt=1821)
access-list acl_in permit tcp any any eq https (hitcnt=5763)
access-list acl_in permit tcp any any eq pop3 (hitcnt=2)
access-list acl_in permit tcp any any eq ftp (hitcnt=78)
access-list acl_in permit tcp any any eq 8888 (hitcnt=0)
access-list acl_in permit tcp any host venus eq 8000 (hitcnt=0)
access-list acl_in permit tcp any any eq telnet (hitcnt=16)
access-list acl_in permit tcp any any eq 8080 (hitcnt=92)
access-list acl_in permit tcp any host finaid eq 26581 (hitcnt=0)
access-list acl_in permit tcp any any eq 8001 (hitcnt=0)
access-list acl_in permit tcp host DNS-ECC any eq domain (hitcnt=1)
access-list acl_in permit tcp any any eq 18080 (hitcnt=0)
access-list acl_in permit ip host 204.142.253.227 any (hitcnt=0)
access-list acl_in permit tcp host 204.142.253.227 any (hitcnt=0)
access-list acl_in permit ip host chang any (hitcnt=0)
access-list acl_in permit tcp host chang any (hitcnt=0)
access-list acl_in permit tcp any host seddiki (hitcnt=0)
access-list acl_in permit ip any host seddiki (hitcnt=0)
access-list acl_in permit tcp host seddiki any (hitcnt=0)
access-list acl_in permit ip host 204.142.81.96 any (hitcnt=0)
access-list acl_in permit tcp host 204.142.81.96 any (hitcnt=0)
access-list acl_in deny tcp any x10 255.255.255.0 (hitcnt=0)
access-list acl_in permit tcp host LotusSrv any eq lotusnotes (hitcnt=78)
access-list acl_in permit udp host DNS-ECC any eq domain (hitcnt=102443)
access-list acl_in permit icmp any any (hitcnt=193)
access-list acl_in deny tcp any any eq 1863 (hitcnt=0)
access-list acl_in deny udp any any eq 1863 (hitcnt=0)
access-list acl_in deny ip any 64.4.13.0 255.255.255.0 (hitcnt=0)
access-list acl_in deny ip any 64.4.0.0 255.255.0.0 (hitcnt=0)
access-list acl_in deny udp any any eq 5190 (hitcnt=0)
access-list acl_in deny udp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq aol (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.153 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.53 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.185 (hitcnt=0)
access-list acl_in deny ip any host 216.136.233.128 (hitcnt=0)
access-list acl_in deny ip any host 216.136.224.142 (hitcnt=0)
access-list acl_in deny ip any host 216.136.225.238 (hitcnt=0)
access-list acl_out;
access-list acl_out permit tcp any host LotusSrv eq lotusnotes (hitcnt=0)
access-list acl_out permit tcp any host venus eq www (hitcnt=538)
access-list acl_out permit udp any host DNS-ECC eq domain (hitcnt=8756)
access-list acl_out permit tcp any host websrv eq www (hitcnt=13190)
access-list acl_out permit tcp any host mail-81 eq smtp (hitcnt=6)
access-list acl_out permit tcp any host mail-89 eq smtp (hitcnt=6882)
access-list acl_out permit tcp any host webcam1 eq www (hitcnt=2)
access-list acl_out permit tcp any host venus eq https (hitcnt=3565)
access-list acl_out permit tcp any any eq ftp (hitcnt=0)
access-list acl_out permit icmp any any echo-reply (hitcnt=77)
access-list acl_out permit tcp any host DNS-ECC eq domain (hitcnt=3)
access-list acl_out permit tcp any host elecktra2 eq telnet (hitcnt=3)
access-list acl_out permit tcp any host mail-253 eq smtp (hitcnt=2)
access-list acl_out permit ip any host mobileman (hitcnt=167)
access-list acl_out permit tcp any host bookstore eq telnet (hitcnt=0)
access-list acl_out permit tcp any host elecktra2 eq 5500 (hitcnt=0)
access-list acl_out permit tcp any host mail-81 eq www (hitcnt=1035)
access-list acl_out permit tcp any host mail-81 eq pop3 (hitcnt=2)
access-list acl_out permit ip host nebraska host posadmin (hitcnt=0)
access-list acl_out permit tcp object-group innovative host elecktra2 object-gro
up webopac_services
access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 range 44
40 4447 (hitcnt=0)
access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 2000
(hitcnt=0)
access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 4999
(hitcnt=0)
access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 4600
(hitcnt=0)
access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 1030
(hitcnt=0)
access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 8080
(hitcnt=0)
access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq www (
hitcnt=0)
access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 range 44
40 4447 (hitcnt=0)
access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 2000
(hitcnt=0)
access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 4999
(hitcnt=0)
access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 4600
(hitcnt=0)
access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 1030
(hitcnt=0)
access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 8080
(hitcnt=0)
access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq www (
hitcnt=0)
access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 range 44
40 4447 (hitcnt=0)
access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 2000
(hitcnt=0)
access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 4999
(hitcnt=0)
access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 4600
(hitcnt=0)
access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 1030
(hitcnt=0)
access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 8080
(hitcnt=0)
access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq www (
hitcnt=0)
access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 range 44
40 4447 (hitcnt=0)
access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 2000
(hitcnt=0)
access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 4999
(hitcnt=0)
access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 4600
(hitcnt=0)
access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 1030
(hitcnt=0)
access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 8080
(hitcnt=0)
access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq www (
hitcnt=0)
access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 range 44
40 4447 (hitcnt=0)
access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 2000
(hitcnt=0)
access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 4999
(hitcnt=0)
access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 4600
(hitcnt=0)
access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 1030
(hitcnt=0)
access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 8080
(hitcnt=0)
access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq www (
hitcnt=0)
access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 range 44
40 4447 (hitcnt=0)
access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 2000
(hitcnt=0)
access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 4999
(hitcnt=0)
access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 4600
(hitcnt=0)
access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 1030
(hitcnt=0)
access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 8080
(hitcnt=0)
access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq www (
hitcnt=0)
access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 rang
e 4440 4447 (hitcnt=0)
access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 2
000 (hitcnt=0)
access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 4
999 (hitcnt=0)
access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 4
600 (hitcnt=0)
access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 1
030 (hitcnt=0)
access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 8
080 (hitcnt=0)
access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq w
ww (hitcnt=0)
access-list acl_out permit tcp any host elecktra2 eq www (hitcnt=239)
access-list acl_out permit ip any host ahmed (hitcnt=60)
access-list acl_out permit tcp any host ahmed (hitcnt=0)
access-list acl_dmz; 4 elements
access-list acl_dmz permit tcp any any eq www (hitcnt=0)
access-list acl_dmz permit tcp host venus any (hitcnt=17)
access-list acl_dmz permit ip host venus any (hitcnt=170)
access-list acl_dmz permit icmp any any (hitcnt=0)
access-list 100; 3 elements
access-list 100 permit ip 204.142.0.0 255.255.0.0 192.168.1.0 255.255.255.0 (hit
cnt=0)
access-list 100 permit ip 192.231.0.0 255.255.0.0 192.168.1.0 255.255.255.0 (hit
cnt=0)
access-list 100 permit ip 10.0.0.0 255.255.0.0 198.168.1.0 255.255.255.0 (hitcnt
=0)
access-list 200; 4 elements
access-list 200 permit ip 204.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 (hitcnt=
60)
access-list 200 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 (hitcnt=0
)
access-list 200 permit ip 192.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 (hitcnt=
0)
access-list 200 permit ip 204.142.253.0 255.255.255.0 192.168.1.0 255.255.255.0
(hitcnt=0)
Pix-Admin1# show access-group
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz:2
03-24-2003 09:31 AM
Hi,
thanks for the posting. I don't know how all the messangers are working. But I think the permit tcp any any eq www and the following statements in your access-list acl_in would allow the traffic. Many tools use the www-protocol to keep working beheind firewalls or proxies (I know it from ICQ). Some look for allowed ports an will use them. If you really want to block the messangers, allow WEB-access only via proxy and configure allowed access there.
Regards Norbert
03-24-2003 09:38 AM
hi,
thanks for your time. i just wanted to tell u that i have been able to block all the messengers by moving all the deny rules for messengers above the access list
acl_in pemit tcp any any eq www
Thought you would be curious!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide