topic Re: Denying Internet access with PIX 500 series in Network Security

Denying Internet access with PIX 500 series

pbecker — Fri, 21 Feb 2020 08:26:44 GMT

I need to deny all Internet access to certain hosts at various locations. We are using PIX 501 and 506 firewalls to create a full VPN mesh between offices. How do I configure access-lists to deny Internet access to only a select number of hosts?

Re: Denying Internet access with PIX 500 series

Patrick Iseli — Thu, 06 Oct 2005 14:37:35 GMT

Configure an access-list in the inside interface and start with denying the host that you want to block after that add the hosts and protocols that should be able to connect to the Internet.

example:

access-list Internet deny ip host 192.168.1.10 any

access-list Internet deny tcp host 192.168.1.10 any eq 80

access-list Internet permit ip host 192.168.1.20 any

...

Give me a more detailed example !!

You could also work with objects groups to be more specific and group multiple UDP or TCP port s together.

example:

object-group service Web tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list internet deny tcp 10.2.1.0 255.255.255.0 any object-group Web

access-list internet permit tcp host 10.2.1.10 any host object-group Web

access-list internet permit any any

sincerely

Patrick

Re: Denying Internet access with PIX 500 series

pbecker — Thu, 06 Oct 2005 17:39:45 GMT

I knew basic access-list configs on a Cisco router, but I was unsure how to apply them to a PIX. The deny/permit port 80 will do for now, but I can use the object-group config in the future.

Thank you for the help.