Re: PIX Conduit questions

Sascha Weigelmann Thu, 10 Aug 2000 02:44:51 -0700
Hi Rob,

if you want to block an outside client from accessing your internal
web-server you need to use the "conduit"-command.
You might have something like:

conduit permit tcp host xxx.xxx.xxx.xxx eq www any  

Where xxx is your official webserver address.
Now simply add:

conduit deny tcp host xxx.xxx.xxx.xxx eq www host yyy.yyy.yyy.yyy

and yyy wont be able to access your webserver anymore. Unlike 
the Checkpoint FW for instance, the order of the rules is of no
relevance. Not the first rule wins, but the most specific.

If you want to block an inside client from accessing the outside, it
depends on the version of the PIX you are using. Newer versions
support the "Access-Lists" which are rather simple to use.
When using an older version of PIX you ll have to use the
"outbound" / "apply" commands:

outbound   1 permit zzz.zzz.zzz.zzz 255.255.255.255 80 tcp
outbound   1 except 206.251.29.10 255.255.255.255 80 tcp  
apply (inside) 1 outgoing_src

This is going to block www.playboy.com from being accessed
by zzz from the inside. You can expand the list with other 
excepts of course.

In addition the PIX has the ability to redirect an IP-Address with the
"alias"-command. If you want to block www.playboy.com :

alias (inside) 206.251.29.10 216.22.214.122 255.255.255.255

Next time someone accesses Playboy (206...) he is going to have
the Catholic Information Center (216...) in his browser. 

Have fun

Sascha

--------------------------------------------------------------------------------
Sascha Weigelmann                Email: [EMAIL PROTECTED] 
                                                 Tel.: +49 6172-288-383
                                                 Mobil 0170-5778857
                                                 Fax: +49 6172-288-402
     
ADS System AG                       http://www.ads.de 
Siemensstr. 25a
D-61352 Bad Homburg
     
                   The Network Service Company
--------------------------------------------------------------------------------


>>> "Rob Serfozo" <[EMAIL PROTECTED]> 08/09/00 04:33pm >>>
Is there any way that I can block access to a site or block a ip address
from access my webserver using a Cisco PIX 515.  I believe that I may be
able to do this using a conduit statement, but I am not sure.

Thank you,
Rob Serfozo

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]



-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: PIX Conduit questions

Reply via email to
