https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693649#M1009794 <HTML><HEAD></HEAD><BODY><P>If you just want to prevent http and dns that is great, but if you want to completely prevent everything else you can do on the internet...</P><P></P><P>access-list acl_in deny ip host 192.168.50.5 any</P><P>access-list acl_in permit ip any any</P><P>access-group acl_in in interface inside</P></BODY></HTML> Tue, 20 Mar 2007 18:14:47 GMT acomiskey 2007-03-20T18:14:47Z https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693646#M1009788 <P>I am trying to get a computer to not access the internet using my PIX 506 (6.3(5) version.</P><P></P><P>I need to prevent computer with ip 192.168.50.5 to not be able to go to the Internet.</P><P></P><P>Can I do this like this:</P><P>access-list acl_in deny tcp 192.168.50.5 255.255.255.0 0 0 eq http</P><P></P><P>I already have binded this acl_in to the interface.</P><P></P><P>Thanks in advance. BTW, can I do this with the mac-address too?</P><P></P><P>Julio,</P> Mon, 11 Mar 2019 09:49:30 GMT https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693646#M1009788 flopez 2019-03-11T09:49:30Z https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693647#M1009790 <HTML><HEAD></HEAD><BODY><P>access-list acl_in deny tcp 192.168.50.5 255.255.255.0 any eq http </P><P>access-l acl_in permit tcp any any eq 80 </P><P>access-l acl_in permit udp any any eq 53</P><P>(this will ensure Internet connectivity for rest of the mass)</P><P></P><P>No you cant do it on the basis of MAC address</P></BODY></HTML> Tue, 20 Mar 2007 17:43:12 GMT https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693647#M1009790 abinjola 2007-03-20T17:43:12Z https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693648#M1009792 <HTML><HEAD></HEAD><BODY><P>The above looks good except the deny will deny the whole network 192.168.50.0. Try...</P><P></P><P>access-list acl_in deny tcp host 192.168.50.5 any eq http</P><P></P><P>or</P><P></P><P>access-list acl_in deny tcp host 192.168.50.5 255.255.255.255 any eq http</P><P></P><P>then add...</P><P>access-list acl_in permit tcp any any eq 80 </P><P>access-list acl_in permit udp any any eq 53 </P><P></P><P>if you want to restrict access out bound for http and dns only. You might want to add </P><P></P><P>access-list acl_in permit tcp any any eq https</P><P>(for secure http)</P><P></P><P>or some people just add this line at the end of the deny list...</P><P></P><P>access-list acl_in permit ip any any</P><P>(to let all traffic out to the internet not previously denied. Not as secure but very common)</P><P></P></BODY></HTML> Tue, 20 Mar 2007 18:13:25 GMT https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693648#M1009792 jspringfield 2007-03-20T18:13:25Z https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693649#M1009794 <HTML><HEAD></HEAD><BODY><P>If you just want to prevent http and dns that is great, but if you want to completely prevent everything else you can do on the internet...</P><P></P><P>access-list acl_in deny ip host 192.168.50.5 any</P><P>access-list acl_in permit ip any any</P><P>access-group acl_in in interface inside</P></BODY></HTML> Tue, 20 Mar 2007 18:14:47 GMT https://community.cisco.com/t5/network-security/help-with-access-list/m-p/693649#M1009794 acomiskey 2007-03-20T18:14:47Z