https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254549#M833178 <HTML><HEAD></HEAD><BODY><P>Small change on the above. If I dont add udp, I saw dns issues.</P><P></P><P>access-l inside-acl deny tcp host 10.10.10.1 any eq 80 </P><P></P><P>access-l inside-acl permit tcp any any</P><P>access-l inside-acl permit udp any any</P><P>access-g inside-acl in int inside</P></BODY></HTML> Thu, 30 Jul 2009 20:51:36 GMT techtips03 2009-07-30T20:51:36Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254539#M833168 <P>Hello</P><P></P><P>I have a PIX 506E with 6.3(5) version and I would like to know if I can block internet access to certain users and allow access to some users on the same LAN. I have a SBS server on the LAN.</P><P></P><P>Thank you</P><P></P> Mon, 11 Mar 2019 15:56:21 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254539#M833168 techtips03 2019-03-11T15:56:21Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254540#M833169 <HTML><HEAD></HEAD><BODY><P>do you have static IP addresses or DHCP on the LAN?</P></BODY></HTML> Fri, 17 Jul 2009 15:40:26 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254540#M833169 andrew.prince 2009-07-17T15:40:26Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254541#M833170 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml</A></P></BODY></HTML> Fri, 17 Jul 2009 16:23:13 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254541#M833170 srue 2009-07-17T16:23:13Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254542#M833171 <HTML><HEAD></HEAD><BODY><P>I have DHCP on the LAN</P></BODY></HTML> Fri, 17 Jul 2009 16:38:18 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254542#M833171 techtips03 2009-07-17T16:38:18Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254543#M833172 <HTML><HEAD></HEAD><BODY><P>You would have to do it individually for the IP addresses that you want to block port 80 and allow the rest. You can use dhcp mac address reservation so, these denied hosts will always get the same ip address.</P><P></P><P>access-l inside-acl deny tcp host 10.10.10.1 any eq 80</P><P>.</P><P>.--&gt; add all the denies</P><P>.</P><P>access-l inside-acl permit tcp any any eq 80</P><P></P><P>access-g inside-acl in int inside</P></BODY></HTML> Fri, 17 Jul 2009 17:11:00 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254543#M833172 Kureli Sankar 2009-07-17T17:11:00Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254544#M833173 <HTML><HEAD></HEAD><BODY><P>Thanks Sankar. When you say dhcp mac reservation, do you mean assigning IP address to MAC on the dhcp server so they can get the same IPs?</P></BODY></HTML> Fri, 17 Jul 2009 20:31:33 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254544#M833173 techtips03 2009-07-17T20:31:33Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254545#M833174 <HTML><HEAD></HEAD><BODY><P>Exactly. Yes. Reserving an IP address for a MAC address on the dhcp server so, these computers will consistently get the same IP address.</P></BODY></HTML> Fri, 17 Jul 2009 21:58:57 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254545#M833174 Kureli Sankar 2009-07-17T21:58:57Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254546#M833175 <HTML><HEAD></HEAD><BODY><P>One option is running AAA and Cut through proxy. The drawback is that it will ask each user to log in. The Pix cannot tell who the user is from the packets. There is no user information in them. The SBS should be able to function as a Radius server and perform the authentication. I would consider the configuration and intermediate level task.</P></BODY></HTML> Sat, 18 Jul 2009 00:53:22 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254546#M833175 paul 2009-07-18T00:53:22Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254547#M833176 <HTML><HEAD></HEAD><BODY><P>Thank you. What if the users move between 2 different locations which are on VPN? If DHCP server is at both locations I think I can still map their MAC to IPs at both locations. But if the remote location is getting DHCP from the main location on the VPN then this setup will not work right?</P></BODY></HTML> Wed, 22 Jul 2009 16:43:14 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254547#M833176 techtips03 2009-07-22T16:43:14Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254548#M833177 <HTML><HEAD></HEAD><BODY><P>if they move with the machines - you have an issues. The you need to think about proxy cut-thru and a radius server to authenticate users.</P><P></P><P>HTH&gt;</P></BODY></HTML> Wed, 22 Jul 2009 17:22:11 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254548#M833177 andrew.prince 2009-07-22T17:22:11Z https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254549#M833178 <HTML><HEAD></HEAD><BODY><P>Small change on the above. If I dont add udp, I saw dns issues.</P><P></P><P>access-l inside-acl deny tcp host 10.10.10.1 any eq 80 </P><P></P><P>access-l inside-acl permit tcp any any</P><P>access-l inside-acl permit udp any any</P><P>access-g inside-acl in int inside</P></BODY></HTML> Thu, 30 Jul 2009 20:51:36 GMT https://community.cisco.com/t5/network-security/block-internet-access-on-pix/m-p/1254549#M833178 techtips03 2009-07-30T20:51:36Z