PIX515E: ACL Question 1

[ermora]

I just can't seem to get it to work no matter what I try. So I've wipped the configuration and am seeking some help.

What I need to do is;
1) Block all outbound access that is not HTTP, HTTPS or FTP.
2) Allow our internal DNS access to our ISP's DNS that has root entries. Our DNS is IP 192.168.40.10.
3) Allow specific inside address to access the outside on specific UDP/TCP ports. For example; internal IP 192.168.40.35 is allowed access to UDP/TCP port 1535.

Thanks

 

[NetworkGhost]

access-list acl_inside permit tcp any any eq http
access-list acl_inside permit tcp any any eq https
access-list acl_inside permit tcp any any eq ftp
access-list acl_inside permit tcp host 192.168.40.10 any eq 53
access-list acl_inside permit udp host 192.168.40.10 any eq 53
access-list acl_inside permit tcp host 192.168.40.35 any eq 1535
access-list acl_inside permit udp host 192.168.40.35 any eq 1535
access-group acl_inside in interface inside

 

[ermora]

NetworkGhost,
Thanks for your response. Before I begin, this is what I've done;

Reloaded PIX
write erase
Reloaded PIX

Then I added the appropriate inside/outside connection configurations.

Then I added the acl specified in your post; with the exception of 1535 UDP/TCP openings.

I then logged onto my workstation and attempted to run Trillian. I was surprised to see it connect without any problems.

This is what I was getting when I tried to "lock-down" the PIX. It seems that inside connections can create outbound connections unless the ACL configuration explicity says otherwise.

I hope this is not true and it's as simple as me missing something. If it is true, how in the world does one setup a "global" acl the explicitly does not allow outbound connections?

Thanks,

 

[lgarner]

Some IM services use port 80, so that might by why.

 

[NetworkGhost]

lgarner is right. IMs and Streaming media, p2p and other apps will tunnel over http if the original ports arent availble. To block this you would need a proxy that will inspect this traffic (websense) or I have heard that Pix 7.0 can do some http tunneling inspects.

 

[ermora]

If they used port 80, that would be better than what I'm thinking - that a higher security (inside) is allowed to access a lower security (outside) unless explicitly given access.

Anyone know of a good network probe so that I can see if port 80 is being used?

Thanks,

 

[lgarner]

Snort comes to mind. Of course, port 80 is used by http, also. There are some resources on the web for blocking addresses to AIM & MSN.

 

[NetworkGhost]

The higher Security lower security gets whacked when you apply a ACL to the interface. If you want to see if port 80 is getting used, you can use tcpdump or snoop. They have windows version if you dont have a linux/unix box available. If you have a cisco switch you can setup a port for monitoring and do a dump on all traffic for port 80. Or you can just keep your ACL in place and watch the ACL increment.

 

[ermora]

So let me get this straight, when an ACL is bound to an interface (inside, outside, dmz, etc), then all activity on that interface is controlled by the ACL config?

If this is true, then I don't understand how Trillian, which is an instant messaging client (for multiple IM services -

http://www.trillian.cc)

is getting through even after I've bound the above ACL to the inside interface.

I'm almost positive that Trillian will not use port 80 if the preferred ports are not available.

Does Snort/Snoop or Tcpdump have the ability to monitor more than just port 80 (http protocol)?

I will post the complete configuration from the PIX tomorrow in hopes it may shed light on this problem of being unable to "lock down" the PIX.

Thanks,

 

[NetworkGhost]

snoop and tcpdump both have the ability. Remember that trillian houses the applications of AOL, Yahoo, MSN etc.. Stil l opens up 80, 8080, 8000 if it can to get through. You can even use the FW to view this traffic. you can setup a Pix capture. This can be viewed either from the pix or you can download it to a file.