Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
2
Replies

ACL for Blocking AOL IM/Allowing VNC out/in

rkollar59
Level 1
Level 1

‎03-09-2005 07:46 AM

Greetings,

I am a PIX newbie (Model 515E, 6.3), trying to write an ACL for blocking AOL IM (I think Port 5190). I am also looking to allow VNC in and out; eventually swtiching over to VPN Access only.

Can anyone please provide the proper ACL's? Thanks.

Labels:
0 Helpful
2 Replies 2

sachinraja
Level 9
Level 9

‎03-14-2005 03:26 AM

Hi rkollar,

By default , all traffic from inside to outside is allowed. You need not explicitely define any rules. If you had previously, defined any rule on the inside interface, just add these lines to the existing one..

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 5190

similarly you need to open the ports defined on the vnc server on your pix.

hope this helps.. all the best..

Raj

0 Helpful

jmia
Level 7
Level 7

‎03-14-2005 06:54 AM

Robert -

Preventing IM traffic from leaving the network is difficult. All the major IM clients will work quite hard to find a port to exit your LAN, using HTTP if they have to. AIM needs to connect to the host login.oscar.aol.com in order to start up, so blocking traffic to this destination will effectively shut it down. However, the name login.oscar.aol. com points to the following IP addresses, according to a DNS lookup:

205.188.7.172

205.188.7.176

205.188.7.164

205.188.7.168

You'll need to block all of these on the inside interface of your PIX, and check for any new servers on a regular basis. Yahoo! Messenger can be blocked in a similar way, by killing off outbound access to the hosts answering to the following names:

msg.edit.yahoo.com

edit.messenger.yahoo.com

csa.yahoo.com

csb.yahoo.com

csc.yahoo.com

Each of the above names resolves out to multiple IP addresses-and, of course, Yahoo! can add new addresses at any time, making it an ongoing battle.

MSN Messenger can be blocked by blocking IP access to the Hotmail network range-64.4.0.0 through 64.4.63.255. Interestingly, this does not seem to totally block access to Hotmail's Web-based mail service.

I have actually managed to stop MSN Messenger for some of my clients by applying deny filters on the inside interface, i.e.

(in config mode)

access-list inside deny tcp any any eq 1863

access-list inside deny ip any 64.4.13.0 255.255.255.0

access-list inside deny ip any 207.46.110.0 255.255.255.0

access-list inside deny ip any 207.46.203.0 255.255.255.0

access-list inside deny ip any 207.150.192.0 255.255.255.0

access-list inside permit ip any any

access-group inside in interface inside

Make sure to save with command: write mem and also issue clear xlate.

On your question on VNC, I presume you want access from the outside onto a specific client on the inside? If so, you'll require an ACL/static translation, I think port 5900 is used by VNC so you'll need to translate this port number. Ideally you want a host-to-host connection rather then having anyone connecting to your internal client using VNC BETTER yet setup VPN!

If you need help on the above please let us know.

Hope this helps – Jay

PS. Please rate all post if it helps you as others might be looking for similar solutions.

0 Helpful
Customers Also Viewed These Support Documents