PIX 501 limit www access

wcotis60 · ‎07-29-2005

I have Cisco 501 PIX and a network of 20 PCs, with T1 access to internet, with static IP address inside the network.

I want to limit certain computers to be able to access only specific internet sites, and allow a other PCs unlimited www access.

Example

PC2 - unlimited access to www

and so on.

How should this be done?

mehrdad · ‎07-29-2005

The below framework should be work in your situation but please note you

must add entir IP address of each sites.

another way is to use access list for each user through their profiles , in this case you need AAA server and using RADIUS protocol.

(config)#object-group network LMT_WWW_SITE

(config-network)# network-object host White_Site_IPAddress

(config-network)# network-object host Blue_Site_IPAddress

(config-network)# network-object host Red_Site_IPAddress

(config)#access-list 101 permit tcp host PC1 object-group LMT_WWW_SITE eq 80

(config)#access-list 101 permit tcp host PC3 object-group LMT_WWW_SITE eq 80

(config)#access-list 101 permit tcp host PC2 any eq 80

(config)#nat (inside) 1 access-list 101

(config)#global (outside) 1 interface

Regards,

Mehrdad Arshad Rad

Security Consultant

wcotis60 · ‎07-29-2005

My config already has:

nat (inside)1 0.0.0.0 0.0.0.0 0 0

Will this be affected by the above shown 'nat(inside)' line?

mehrdad · ‎07-29-2005

"nat (inside) 1 0 0 " It NATs every requests from inside without any restriction.