Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1869
Views
10
Helpful
6
Replies

Allowing internet access only for specific computers on PIX firewall

nickam989
Level 1
Level 1

‎01-09-2012 11:15 AM - edited ‎03-11-2019 03:12 PM

Hello, I'm a college student working on a lab involving a Cisco PIX 501 Firewall.

My project involves 1 computer and a firewall. My goal is to use the firewall to allow access to the internet for that computer which uses a static IP 192.168.1.5 and ONLY for that IP address. The firewall is connected to the internet.

I have the computer hooked up to the firewall with the serial and using hyper terminal to enter commands. I think I need to use access lists in order to deny traffic on those ports for those particular hosts. I can't figure out exactly how I need to set it up.

What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.

I tried:

access-list 1 permit tcp host 192.168.1.5 any eq 80

access-group 1 in interface inside

I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other. Sorry again for getting the question wrong the first time.

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-09-2012 11:39 AM

Hello Nick,

Are you sure you are browsing to a http site instead of an https site?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nickam989
Level 1
Level 1
In response to Julio Carvajal

‎01-09-2012 12:00 PM

Thanks for the answer, but I actually just realized I had the problem wrong.

What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.

I tried:

access-list 1 permit tcp host 192.168.1.5 any eq 80

access-group 1 in interface inside

I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other. Sorry again for getting the question wrong the first time. And I am accessing an http, not https. Thanks.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to nickam989

‎01-09-2012 12:03 PM

Hello,

lol, now everything makes sense!

You need to add the following:

access-list 1 permit tcp host 192.168.1.5 any eq 443

access-list 1 permit udp host 192.168.1.5 any eq 53

Rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal
VIP Alumni
VIP Alumni
In response to nickam989

‎01-09-2012 12:20 PM

Let me know if you need something else!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

clayton.buckwalter
Level 1
Level 1
In response to nickam989

‎01-10-2012 12:41 PM

Nick,

If your DNS server lies outside of the ASA (4.2.2.1 for example), you will have to also allow DNS outbound.  Are you browsing via IP Address or FQDN?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to clayton.buckwalter

‎01-10-2012 03:23 PM

Hi Clayton,

On the ACL I have configured we already allow DNS as shown here :

access-list 1 permit udp host 192.168.1.5 any eq 53

Regards,

Rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card