block ports out to internet but not out over site-to-site tunnel
- From: "softking" <softking@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 6 Mar 2006 17:33:41 -0600
I am trying to block certain ports (Windows NetBios and other risky stuff)
from going from LAN to WAN, but the exception is I do want to allow these
ports over the VPN tunnel to the PIX at site A. (for the sake of Exchange
and mapped network drives) How can I accomplish this on the PIX alone, I
don't have another router as some are suggesting is nessesary. From the
config below (PIX at site B) I have just blocked the WinCrap from going out
of the PIX at all (to the Internet and/or over the Tunnel) is this accurate
or what should be happening - cause it is. How do I make the distiction
that I don't want it going out over the Internet but I do want it going out
of access-list 100 or to the 192.168.[A].0 network?
On a similar note, how could I force all SIP or port 5060/1 traffic to go
over the Tunnel (and out the Internet connection of PIX A) as opposed to
going out over the Internet connection of PIX B?
object-group service WinCrap tcp-udp
description : for blocking Windows slop from leaking outbound
port-object range 135 139
port-object eq 445
port-object eq 593
port-object eq 4444
access-list inside_access_in deny tcp any any object-group WinCrap
access-list inside_access_in deny udp any any object-group WinCrap
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 554
access-list outside_access_in permit udp any any eq 554
access-list outside_access_in permit tcp any any eq 80
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
access-list 100 permit ip 192.168.[B].0 255.255.255.0 192.168.[A].0
255.255.255.0
access-list 100 permit ip 192.168.[B].0 255.255.255.0 172.16.40.0
255.255.255.0
access-list vpn_splitTunnelAcl permit ip 192.168.[B].0 255.255.255.0
172.16.40.0 255.255.255.0
access-list 110 permit ip 192.168.[B].0 255.255.255.0 192.168.[A].0
255.255.255.0
icmp permit any outside
icmp permit any inside
ip address outside dhcp setroute retry 4
ip address inside 192.168.[B].1 255.255.255.0
ip local pool vpnrange 172.16.40.10-172.16.40.50
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 554 192.168.[B].8 554 dns netmask
255.255.255.255 0 0
static (inside,outside) udp interface 554 192.168.[B].8 554 dns netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 80 192.168.[B].8 80 dns netmask
255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
Thank you in advance for your time and expertise.
.
- Prev by Date: Re: GRE Tunnel up/up Cannot ping tunnel interface
- Next by Date: Re: GRE Tunnel up/up Cannot ping tunnel interface
- Previous by thread: PIX 515 Remote Access Config Question
- Next by thread: 506E and multiple web servers
- Index(es):
Relevant Pages
|
