cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1869
Views
10
Helpful
6
Replies

Allowing internet access only for specific computers on PIX firewall

nickam989
Level 1
Level 1

Hello, I'm a college student working on a lab involving a Cisco PIX 501 Firewall.

My project involves 1 computer and a firewall. My goal is to use the firewall to allow access to the internet for that computer which uses a static IP 192.168.1.5 and ONLY for that IP address. The firewall is connected to the internet.

I have the computer hooked up to the firewall with the serial and using hyper terminal to enter commands. I think I need to use access lists in order to deny traffic on those ports for those particular hosts. I can't figure out exactly how I need to set it up.

What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.

I tried:

access-list 1 permit tcp host 192.168.1.5 any eq 80

access-group 1 in interface inside

I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other. Sorry again for getting the question wrong the first time.

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Nick,

Are you sure you are browsing to a http site instead of an https site?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the answer, but I actually just realized I had the problem wrong.

What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.

I tried:

access-list 1 permit tcp host 192.168.1.5 any eq 80

access-group 1 in interface inside

I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other. Sorry again for getting the question wrong the first time. And I am accessing an http, not https. Thanks.

Hello,

lol, now everything makes sense!

You need to add the following:

access-list 1 permit tcp host 192.168.1.5 any eq 443

access-list 1 permit udp host 192.168.1.5 any eq 53

Rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Let me know if you need something else!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Nick,

If your DNS server lies outside of the ASA (4.2.2.1 for example), you will have to also allow DNS outbound.  Are you browsing via IP Address or FQDN?

Hi Clayton,

On the ACL I have configured we already allow DNS as shown here :

access-list 1 permit udp host 192.168.1.5 any eq 53

Regards,

Rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card