https://community.cisco.com/t5/network-security/pix-525-block-http-access-to-certain-subnets/m-p/1222180#M876344 <P>I am having trouble blocking HTTP/HTTPS access to just certain subnets within my network. The following is what I have tried and it doesn't seem to work.</P><P></P><P>access-list acl_insideint permit tcp object-group Servers object-group WebProtocols any</P><P>access-list acl_insideint deny tcp any object-group WebProtocols any</P><P>access-list acl_insideint permit ip any any</P><P></P><P>The Servers group contains the following:</P><P>object-group network Servers</P><P> description All subnets that contain servers</P><P> network-object 172.20.1.0 255.255.255.0</P><P> network-object 172.24.0.0 255.255.0.0</P><P> network-object 172.22.0.0 255.255.0.0</P><P> network-object 172.23.7.0 255.255.255.0</P><P> network-object 172.27.1.0 255.255.255.0</P><P> network-object 172.26.0.0 255.255.0.0</P><P> network-object 172.20.40.0 255.255.255.0</P><P></P><P>The Web Ports group contains just HTTP and HTTPS.</P><P></P><P>I put these rules in and then try to browse with 172.20.45.60 and browsing still works....</P><P></P><P></P> Mon, 11 Mar 2019 14:51:01 GMT tplier 2019-03-11T14:51:01Z https://community.cisco.com/t5/network-security/pix-525-block-http-access-to-certain-subnets/m-p/1222180#M876344 <P>I am having trouble blocking HTTP/HTTPS access to just certain subnets within my network. The following is what I have tried and it doesn't seem to work.</P><P></P><P>access-list acl_insideint permit tcp object-group Servers object-group WebProtocols any</P><P>access-list acl_insideint deny tcp any object-group WebProtocols any</P><P>access-list acl_insideint permit ip any any</P><P></P><P>The Servers group contains the following:</P><P>object-group network Servers</P><P> description All subnets that contain servers</P><P> network-object 172.20.1.0 255.255.255.0</P><P> network-object 172.24.0.0 255.255.0.0</P><P> network-object 172.22.0.0 255.255.0.0</P><P> network-object 172.23.7.0 255.255.255.0</P><P> network-object 172.27.1.0 255.255.255.0</P><P> network-object 172.26.0.0 255.255.0.0</P><P> network-object 172.20.40.0 255.255.255.0</P><P></P><P>The Web Ports group contains just HTTP and HTTPS.</P><P></P><P>I put these rules in and then try to browse with 172.20.45.60 and browsing still works....</P><P></P><P></P> Mon, 11 Mar 2019 14:51:01 GMT https://community.cisco.com/t5/network-security/pix-525-block-http-access-to-certain-subnets/m-p/1222180#M876344 tplier 2019-03-11T14:51:01Z https://community.cisco.com/t5/network-security/pix-525-block-http-access-to-certain-subnets/m-p/1222181#M876348 <HTML><HEAD></HEAD><BODY><P>The 'WebProtocols' group is your service group? If so, you have specified it in the destination address portion of the ACE instead of the destination services portion. I believe the ACL's should read:</P><P></P><P>access-list acl_insideint permit tcp object-group Servers any object-group WebProtocols</P><P>access-list acl_insideint deny tcp any any object-group WebProtocols</P><P></P><P></P><P>I would also strongly recommend removal/revision of the permit ip any any statement at the bottom of the ACL.</P><P></P><P>Hope this helps.</P></BODY></HTML> Mon, 16 Feb 2009 14:10:34 GMT https://community.cisco.com/t5/network-security/pix-525-block-http-access-to-certain-subnets/m-p/1222181#M876348 eddie.mitchell 2009-02-16T14:10:34Z https://community.cisco.com/t5/network-security/pix-525-block-http-access-to-certain-subnets/m-p/1222182#M876350 <HTML><HEAD></HEAD><BODY><P>Thanks for the help!</P><P></P><P>That did it.</P></BODY></HTML> Mon, 16 Feb 2009 14:36:29 GMT https://community.cisco.com/t5/network-security/pix-525-block-http-access-to-certain-subnets/m-p/1222182#M876350 tplier 2009-02-16T14:36:29Z