Salve, il mi pix 501 è così configurato
Pix-Trieste(config)# show conf
: Saved
: Written by enable_15 at 20:04:57.760 UTC Wed Oct 17 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password r5XXXWZlmQQXXhY encrypted
passwd 2KFXXXXI.2KYOU encrypted
hostname Pix-Trieste
domain-name pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ext permit ip 88.39.XXX.152 255.255.255.248 any
access-list ext permit tcp 81.73.XX.24 255.255.255.248 host 88.45.XX.37 eq 3389
access-list ext permit tcp 81.73.XX.24 255.255.255.248 host 88.45.XX.37 eq lotu
snotes
access-list ext permit tcp any host 88.45.XX.37 eq lotusnotes
access-list ext permit tcp any host 88.45.XX.37 eq www
pager lines 24
logging on
logging trap warnings
logging host inside 10.1.0.177
logging host inside 10.0.0.177
mtu outside 1500
mtu inside 1500
ip address outside 88.45.XX.34 255.255.255.248
ip address inside 10.0.0.251 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 88.45.106.38
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) 88.45.XXX.37 10.0.0.253 netmask 255.255.255.255 0 0
access-group ext in interface outside
route outside 0.0.0.0 0.0.0.0 88.45.XXX.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.0.100 255.255.255.255 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:3d4a4dXXXXXXXX36e5cedaf2f
ho messo in XXXX alcuni dati sensibili.
Vorrei sapere come fare per bloccare la porta 1863 (MSN) in uscita, impedendo così ai client di connettersi ad msn.
Ho già impostato il seguente escamotage trovato in giro per i forum: impostare i seguenti record nel file hosts della macchina:
127.0.0.1 messenger.hotmail.com
127.0.0.1 webmessenger.msn.com
127.0.0.1 gateway.messenger.hotmail.com
127.0.0.1 webmessenger.msn.com
Ho provato i comandi:
access-list ACL-OUT deny tcp 10.0.0.1 255.255.255.255 any eq 1863
access-list ACL-OUT deny udp 10.0.0.1 255.255.255.255 any eq 1863
ed anche
access-list ext deny tcp 10.0.0.1 255.255.255.255 any eq 1863
access-list ext deny udp 10.0.0.1 255.255.255.255 any eq 1863
ma non hanno dato i risultati sperati, penso che il problema sia in quell' ACL-OUT o ext.
ho provato anche il comando completo, suggeritomi tempo fa:
access-list ACL-OUT remark *** ACL IN USCITA ***
access-list ACL-OUT deny tcp 10.0.0.1 255.255.255.255 any eq 1863
access-list ACL-OUT deny udp 10.0.0.1 255.255.255.255 any eq 1863
access-group ACL-OUT in interface inside
ma in questo modo si blocca la totale navigazione.
Grazie per chi mi aiuterà.
bloccare porte in uscita su pix 501
Moderatore: Federico.Lagni
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Regole che avevo fatto x bloccare win live messenger:
Codice: Seleziona tutto
access-list 111 remark *** ACL PER BLOCCO WIN LIVE MESSENGER ***
access-l 111 deny tcp any any eq 1863
access-l 111 deny ip any host 65.54.239.80
access-l 111 deny ip any host 65.54.239.81
access-l 111 deny ip any 207.46.110.0 0.0.0.255
access-list 111 remark *** ACL CHE PERMETTE TUTTO IL RESTO ***
access-l 111 permit ip any anyIl futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
