Restricting LAN Internet Acess

Concrete_ · ‎01-19-2007

Hi There,

My set up is bassically

internet-router-PIX-router-switch

off the switch I have multiple LANS

of which I only want one segment to be able to get out totaly unrestricted.

With the basic implied rule I can get out to the internet fien and dandy. But when i try to restrict it to one LAN I lose my ability to surf.

The ACL I am trying to use is.

access-list INSIDE permit ip 10.9.11.0 255.255.255.0 any

access-group INSIDE in interface inside

I would think this would allow the LAN out but I am no longer able to surf once it's applied. I am new to the PIX, so i am sure it is something simple I am missing.

Thanks

Concrete

Jon Marshall · ‎01-19-2007

Hi

Could you clarify. Are you saying that users on the 10.9.11.0/24 network can no longer access the internet or is it the users on other lans.

Remember that there is an implicit deny on the end of any access-list so that access-list you have applied will allow 10.9.11.0/24 users unrestricted access out but will deny any other users getting out at all.

HTH

Concrete_ · ‎01-19-2007

Hi sorry

The problem is that when I add the rule above, I lose all access from my 10.9.11.0/24 network. I was expecting to lose access in other subnets, but I don't know why 10.9.3.11 loses it to. From what I understand the rule should allow 10.9.11.0/24 to do what it wants.

Thanks Concrete

acomiskey · ‎01-19-2007

10.9.3.11 would not be included in 10.9.11.0/24...maybe a typo on your part

Concrete_ · ‎01-19-2007

Yah sorry, it was a typo. Anywho I figured it out, it tooks a while to clue in that the internal DNS wasn't going to be able to get out with the new rule. So I just had to allow access out for it as well.

Thanks for all your help

Concrete