10-06-2005 07:05 AM - edited 02-21-2020 12:26 AM
I need to deny all Internet access to certain hosts at various locations. We are using PIX 501 and 506 firewalls to create a full VPN mesh between offices. How do I configure access-lists to deny Internet access to only a select number of hosts?
Solved! Go to Solution.
10-06-2005 07:37 AM
Configure an access-list in the inside interface and start with denying the host that you want to block after that add the hosts and protocols that should be able to connect to the Internet.
example:
access-list Internet deny ip host 192.168.1.10 any
access-list Internet deny tcp host 192.168.1.10 any eq 80
access-list Internet permit ip host 192.168.1.20 any
...
Give me a more detailed example !!
You could also work with objects groups to be more specific and group multiple UDP or TCP port s together.
example:
object-group service Web tcp
port-object eq 80
port-object eq 443
port-object eq 21
access-list internet deny tcp 10.2.1.0 255.255.255.0 any object-group Web
access-list internet permit tcp host 10.2.1.10 any host object-group Web
access-list internet permit any any
sincerely
Patrick
10-06-2005 07:37 AM
Configure an access-list in the inside interface and start with denying the host that you want to block after that add the hosts and protocols that should be able to connect to the Internet.
example:
access-list Internet deny ip host 192.168.1.10 any
access-list Internet deny tcp host 192.168.1.10 any eq 80
access-list Internet permit ip host 192.168.1.20 any
...
Give me a more detailed example !!
You could also work with objects groups to be more specific and group multiple UDP or TCP port s together.
example:
object-group service Web tcp
port-object eq 80
port-object eq 443
port-object eq 21
access-list internet deny tcp 10.2.1.0 255.255.255.0 any object-group Web
access-list internet permit tcp host 10.2.1.10 any host object-group Web
access-list internet permit any any
sincerely
Patrick
10-06-2005 10:39 AM
I knew basic access-list configs on a Cisco router, but I was unsure how to apply them to a PIX. The deny/permit port 80 will do for now, but I can use the object-group config in the future.
Thank you for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide