PIX 525 Block HTTP Access to Certain Subnets

tplier · ‎02-16-2009

I am having trouble blocking HTTP/HTTPS access to just certain subnets within my network. The following is what I have tried and it doesn't seem to work.

access-list acl_insideint permit tcp object-group Servers object-group WebProtocols any

access-list acl_insideint deny tcp any object-group WebProtocols any

access-list acl_insideint permit ip any any

The Servers group contains the following:

object-group network Servers

description All subnets that contain servers

network-object 172.20.1.0 255.255.255.0

network-object 172.24.0.0 255.255.0.0

network-object 172.22.0.0 255.255.0.0

network-object 172.23.7.0 255.255.255.0

network-object 172.27.1.0 255.255.255.0

network-object 172.26.0.0 255.255.0.0

network-object 172.20.40.0 255.255.255.0

The Web Ports group contains just HTTP and HTTPS.

I put these rules in and then try to browse with 172.20.45.60 and browsing still works....

eddie.mitchell · ‎02-16-2009

The 'WebProtocols' group is your service group? If so, you have specified it in the destination address portion of the ACE instead of the destination services portion. I believe the ACL's should read:

access-list acl_insideint permit tcp object-group Servers any object-group WebProtocols

access-list acl_insideint deny tcp any any object-group WebProtocols

I would also strongly recommend removal/revision of the permit ip any any statement at the bottom of the ACL.

Hope this helps.

tplier · ‎02-16-2009

Thanks for the help!

That did it.