01-09-2012 11:15 AM - edited 03-11-2019 03:12 PM
Hello, I'm a college student working on a lab involving a Cisco PIX 501 Firewall.
My project involves 1 computer and a firewall. My goal is to use the firewall to allow access to the internet for that computer which uses a static IP 192.168.1.5 and ONLY for that IP address. The firewall is connected to the internet.
I have the computer hooked up to the firewall with the serial and using hyper terminal to enter commands. I think I need to use access lists in order to deny traffic on those ports for those particular hosts. I can't figure out exactly how I need to set it up.
What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.
I tried:
access-list 1 permit tcp host 192.168.1.5 any eq 80
access-group 1 in interface inside
I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other. Sorry again for getting the question wrong the first time.
01-09-2012 11:39 AM
Hello Nick,
Are you sure you are browsing to a http site instead of an https site?
Regards,
Julio
01-09-2012 12:00 PM
Thanks for the answer, but I actually just realized I had the problem wrong.
What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.
I tried:
access-list 1 permit tcp host 192.168.1.5 any eq 80
access-group 1 in interface inside
I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other. Sorry again for getting the question wrong the first time. And I am accessing an http, not https. Thanks.
01-09-2012 12:03 PM
Hello,
lol, now everything makes sense!
You need to add the following:
access-list 1 permit tcp host 192.168.1.5 any eq 443
access-list 1 permit udp host 192.168.1.5 any eq 53
Rate helpful posts
Julio
01-09-2012 12:20 PM
Let me know if you need something else!
01-10-2012 12:41 PM
Nick,
If your DNS server lies outside of the ASA (4.2.2.1 for example), you will have to also allow DNS outbound. Are you browsing via IP Address or FQDN?
01-10-2012 03:23 PM
Hi Clayton,
On the ACL I have configured we already allow DNS as shown here :
access-list 1 permit udp host 192.168.1.5 any eq 53
Regards,
Rate helpful posts
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide