Announcement

Collapse
No announcement yet.

IP rule? Can it go?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IP rule? Can it go?

    Can I remove this rule from my PIX 506e? I have set TCP rules to allow outbound 80, pptp, and smtp on the server. The reason I ask is I am trying to track a rouge spammer on my network. I didnt config this PIX and am not to familar with this rule. What is the IP Protocol: IP (0) ?

    Be easy on me, I'm here to learn

  • #2
    Re: IP rule? Can it go?

    If I'm not mistaken that looks like
    access-list name permit ip any any

    which allows anything outbound from anywhere.
    Condensing slightly, but generally this is already there if there are no access rules setup outbound. As soon as one is setup then everything else apart from that is blocked so it isn't just a case of deleting it, we need to know what else is setup.
    Is there any way you can login to the cmd line on this and get us the config (minus identifiable info) first?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: IP rule? Can it go?

      PIX Version 6.3(4)

      clock timezone PST -8
      clock summer-time PDT recurring
      fixup protocol dns maximum-length 512
      fixup protocol ftp 21
      fixup protocol h323 h225 1720
      fixup protocol h323 ras 1718-1719
      fixup protocol http 80
      fixup protocol pptp 1723
      fixup protocol rsh 514
      fixup protocol rtsp 554
      fixup protocol sip 5060
      fixup protocol sip udp 5060
      fixup protocol skinny 2000
      no fixup protocol smtp 25
      fixup protocol sqlnet 1521
      fixup protocol tftp 69
      names
      name 192.168.100.5 AHCM-DC
      name 192.168.100.6 AHCM-SERVER
      name 192.168.100.7 AHCM-REMOTE
      name 192.168.100.11 VZW
      name 208.81.x.x SpamSoap2
      name 208.65.x.x SpamSoap1
      object-group network MailServers
      description Barracuda + Exchange Server
      network-object AHCM-DC 255.255.255.255
      object-group network SpamSoap
      network-object SpamSoap1 255.255.248.0
      network-object SpamSoap2 255.255.252.0
      access-list inbound permit tcp any host 66.167.x.x eq www
      access-list inbound remark 192.168.100.5
      access-list inbound remark 255.255.255.255
      access-list inbound permit tcp any any eq pptp x.x eq https
      access-list inbound permit tcp any host 66.167.x.x eq 3389
      access-list inbound permit icmp any any echo-reply
      access-list inbound permit icmp any any time-exceeded
      access-list inbound permit icmp any any unreachable
      access-list inbound remark SpamSoap
      access-list inbound permit tcp object-group SpamSoap interface outside eq smtp
      access-list inside_access_in remark reporting port 80 use
      access-list inside_access_in permit tcp any any eq www
      access-list inside_access_in remark
      access-list inside_access_in permit tcp host AHCM-DC any eq smtp log 2
      access-list inside_access_in permit ip any any
      access-list inside_access_in remark PPTP from inside to outside
      access-list inside_access_in permit tcp any eq pptp any log 2
      pager lines 24
      logging on
      logging timestamp
      logging buffered warnings
      logging trap informational
      logging host inside AHCM-DC
      mtu outside 1500
      mtu inside 1500
      ip address outside 66.167.x.x 255.255.255.248
      ip address inside 192.168.100.2 255.255.255.0
      ip audit info action alarm
      ip audit attack action alarm
      pdm location AHCM-DC 255.255.255.255 inside
      pdm location AHCM-REMOTE 255.255.255.255 inside
      pdm location VZW 255.255.255.255 inside
      pdm location 0.0.0.0 255.255.255.248 outside
      pdm location SpamSoap1 255.255.248.0 outside
      pdm location SpamSoap2 255.255.252.0 outside
      pdm group MailServers inside
      pdm group SpamSoap outside
      pdm logging critical 512
      pdm history enable
      arp timeout 14400
      global (outside) 1 66.167.x.y
      nat (inside) 1 0.0.0.0 0.0.0.0 0 0
      static (inside,outside) tcp interface www AHCM-DC www netmask 255.255.255.255 0 0
      static (inside,outside) tcp interface pptp AHCM-DC pptp netmask 255.255.255.255 0 0
      static (inside,outside) tcp interface https AHCM-DC https netmask 255.255.255.255 0 0
      static (inside,outside) tcp interface 3389 AHCM-REMOTE 3389 netmask 255.255.255.255 0 0
      static (inside,outside) tcp interface 5901 VZW 5901 netmask 255.255.255.255 0 0
      static (inside,outside) tcp interface smtp AHCM-DC smtp netmask 255.255.255.255 0 0
      access-group inbound in interface outside
      access-group inside_access_in in interface inside
      route outside 0.0.0.0 0.0.0.0 66.167.x.z 1
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:30:00 udp 0:30:00 rpc 0:30:00 h225 1:00:00
      timeout h323 0:05:00 mgcp 0:30:00 sip 0:30:00 sip_media 0:30:00
      timeout uauth 0:30:00 absolute
      aaa-server TACACS+ protocol tacacs+
      aaa-server TACACS+ max-failed-attempts 3
      aaa-server TACACS+ deadtime 10
      aaa-server RADIUS protocol radius
      aaa-server RADIUS max-failed-attempts 3
      aaa-server RADIUS deadtime 10
      aaa-server LOCAL protocol local
      ntp server AHCM-DC source inside
      ntp server 164.67.62.194 source outside
      http server enable
      http 192.168.100.0 255.255.255.0 inside
      no snmp-server location
      no snmp-server contact
      snmp-server community public
      no snmp-server enable traps
      tftp-server inside AHCM-REMOTE /TFTP-Root
      floodguard enable
      telnet AHCM-DC 255.255.255.255 inside
      telnet AHCM-REMOTE 255.255.255.255 inside
      telnet timeout 5
      ssh 192.168.100.0 255.255.255.0 inside
      ssh timeout 5
      console timeout 0
      terminal width 80
      : end
      [OK]
      Be easy on me, I'm here to learn

      Comment


      • #4
        Re: IP rule? Can it go?

        Code:
         
        access-list inside_access_in remark reporting port 80 use
        access-list inside_access_in permit tcp any any eq www 
        access-list inside_access_in remark 
        access-list inside_access_in permit tcp host AHCM-DC any eq smtp log 2 
        access-list inside_access_in permit ip any any 
        access-list inside_access_in remark PPTP from inside to outside
        access-list inside_access_in permit tcp any eq pptp any log 2
        Your outbound access list for internal clients currently allows:
        1. Any outbound to tcp WWW
        2. AHCM-DC outbound to tcp SMTP (logged)
        3. Any IP traffic
        4. Any PPTP tcp (logged)

        I suspect it would be better to have:

        Code:
         
        access-list inside_access_in remark reporting port 80 use
        access-list inside_access_in permit tcp any any eq www
        access-list inside_access_in remark reporting AHCM-DC SMTP Out
        access-list inside_access_in permit tcp host AHCM-DC any eq smtp log 2 
        access-list inside_access_in remark PPTP from inside to outside
        access-list inside_access_in permit tcp any eq pptp any log 2 
        access-list inside_access_in deny tcp any any eq smtp
        access-list inside_access_in permit ip any any
        This should then allow the additional blocking of SMTP from any internal host aside from the allowed AHCM-DC.
        The ip allow any any needs to be last to allow all other traffic but you can lock this down more by putting in some more denys. PIX reads rules top down so you need to get the allow smtp for AHCM-DC in before the deny smtp and you need to have the allow IP any any after the deny's.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: IP rule? Can it go?

          Originally posted by AndyJG247 View Post
          Code:
           
          access-list inside_access_in remark reporting port 80 use
          access-list inside_access_in permit tcp any any eq www 
          access-list inside_access_in remark 
          access-list inside_access_in permit tcp host AHCM-DC any eq smtp log 2 
          access-list inside_access_in permit ip any any 
          access-list inside_access_in remark PPTP from inside to outside
          access-list inside_access_in permit tcp any eq pptp any log 2
          Your outbound access list for internal clients currently allows:
          1. Any outbound to tcp WWW
          2. AHCM-DC outbound to tcp SMTP (logged)
          3. Any IP traffic
          4. Any PPTP tcp (logged)

          I suspect it would be better to have:

          Code:
           
          access-list inside_access_in remark reporting port 80 use
          access-list inside_access_in permit tcp any any eq www
          access-list inside_access_in remark reporting AHCM-DC SMTP Out
          access-list inside_access_in permit tcp host AHCM-DC any eq smtp log 2 
          access-list inside_access_in remark PPTP from inside to outside
          access-list inside_access_in permit tcp any eq pptp any log 2 
          access-list inside_access_in deny tcp any any eq smtp
          access-list inside_access_in permit ip any any
          This should then allow the additional blocking of SMTP from any internal host aside from the allowed AHCM-DC.
          The ip allow any any needs to be last to allow all other traffic but you can lock this down more by putting in some more denys. PIX reads rules top down so you need to get the allow smtp for AHCM-DC in before the deny smtp and you need to have the allow IP any any after the deny's.

          Can I just copy and paste this into the PDM console?
          Be easy on me, I'm here to learn

          Comment


          • #6
            Re: IP rule? Can it go?

            I am logging to KiwiSyslog, how can I track my possible rouge spammer on my network? I would basically like to log all outbound port 25 traffic
            Last edited by brcmadmin; 16th December 2008, 00:34.
            Be easy on me, I'm here to learn

            Comment


            • #7
              Re: IP rule? Can it go?

              You can log by putting "log x" at the end of the access-list
              like this:
              Code:
              access-list inside_access_in permit tcp host AHCM-DC any eq smtp log 2
              You could also apply the second access list and check the denys as well though.

              I've never used PDM so I don't know if you can paste in commands, either way you will need to remove the access-list that exists first.

              Open the command prompt
              login and enable
              so you see
              hostname#
              then
              Code:
              clear access-list inside_access_in
              then
              Code:
              access-list inside_access_in remark reporting port 80 use
              access-list inside_access_in permit tcp any any eq www log 2
              access-list inside_access_in remark reporting AHCM-DC SMTP Out
              access-list inside_access_in permit tcp host AHCM-DC any eq smtp log 2 
              access-list inside_access_in remark PPTP from inside to outside
              access-list inside_access_in permit tcp any eq pptp any log 2 
              access-list inside_access_in deny tcp any any eq smtp
              access-list inside_access_in permit ip any any
              then
              Code:
              access-group inside_access_in in inteface inside
              this should get things working.
              You can turn up the amount of messages being logged with
              Code:
              logging trap x
              where x is a number upto 7.

              Have a look at the commands in the command reference too to get a better idea of how they work
              http://www.cisco.com/en/US/products/...80094885.shtml

              edit: of course you need "write mem"to save the config too.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: IP rule? Can it go?

                Hmmmm I'm not so happy with the following lines. (read my red remarks)

                access-list inside_access_in permit tcp any any eq www log 2 (is source any really necessary? better to harden more to the internal to any external)
                access-list inside_access_in permit tcp any eq pptp any log 2 (is source any really necessary? better to harden more to the internal host to any external)
                access-list inside_access_in deny tcp any any eq smtp (Why denying it specifically instead denying it at the last rule)
                access-list inside_access_in permit ip any any (one question.... WHY? Any traffic any way sounds a bit unsecure)
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: IP rule? Can it go?

                  This is inside accessing out. Without an ACL applied to the interface it is by default "allow ip any any" as soon as an ACL is applied then it is followed by "deny ip any any" (remembering that allow any any is "allow any inside to any outside" not "allow any inside and outside to any")

                  Line 1: Source could be any port accessing destination port of 80. I suppose this could really be any port above the well known ones really but that would be a little more complicated.
                  Line 2: ditto above although this could be restricted to specific internal hosts we still don't know what the source port will be only the destination port.
                  Line 3: Because we have a specific allow for smtp above plus we want to specifically deny smtp from any other host.
                  Line 4: PIX allows any outbound by default unless there is an ACL applied. We could very easily make sure we also added allow any to DNS, HTTP, HTTPS, FTP maybe etc. We would need to add them all (and yes we could but we need to make sure we know exactly what it would affect and we don't (yet)).

                  I was working on the original config mainly but this config is more secure than the original due to the smtp deny. This is purely for traffic originating from the inside and yes I completely agree it could be more secure (add a proxy server etc).

                  brcmaadmin - in view of Dumber's comments, if you can state exactly what you do want to allow out we can modify the acls to deny more things.
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment


                  • #10
                    Re: IP rule? Can it go?

                    Hmmm I've to work at my cisco knowledge again.
                    It's almost 2 years ago that I touched any router or switch...

                    Anyhow, I just noticed the acl is on the inside in thingie..
                    So all inbound traffic (seen from the interface) originated from the local network.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: IP rule? Can it go?

                      The PIX use different software to the routers so are different in their commands (although the 7 software upwards is better).
                      It is always good to question security and you are correct it could be better here, I just worked on what was already there mate.
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment

                      Working...
                      X