PIX ACL internal - deny network/allow www server

twaite · ‎06-04-2007

I am going to be adding a second network (wireless) that needs to be isolated from the primary network except for one server (www). Currently the wireless is on a second VLAN, that while permitting internet access does not of course allow access to the web server on the main LAN.

What I would like to do is use a PIX506 to place in between the two networks, and allow the wireless network internet access as well as access to this one specific web server, ideally just the http only.

So I am thinking I would need to create inbound and outbound ACLs. So therefore I would need to make an ACL deny the 192.168.1.0 network, while allowing www access to 192.168.1.4.

Basically wireless clients need to access the internet, and this webserver, but NOT see anything else on the main network.

acomiskey · ‎06-04-2007

Something like this?

access-list inside permit tcp any host 192.168.1.4 eq www

access-list inside deny ip any 192.168.1.0 255.255.255.0

access-list inside permit ip any any

access-group inside in interface inside

Jon Marshall · ‎06-04-2007

Hi

Assuming wireless LAN is 192.168.2.0/24 you

would need the following

access-list restrict permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.4 eq www

access-list restrict deny ip any 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list restrict permit ip 192.168.2.0 255.255.255.0 any

Apply this on the interface connected to the 192.168.2.0 network ie the wireless network in an inbound direction.

HTH

Jon