01-19-2007 08:39 AM - edited 03-11-2019 02:22 AM
Hi There,
My set up is bassically
internet-router-PIX-router-switch
off the switch I have multiple LANS
of which I only want one segment to be able to get out totaly unrestricted.
With the basic implied rule I can get out to the internet fien and dandy. But when i try to restrict it to one LAN I lose my ability to surf.
The ACL I am trying to use is.
access-list INSIDE permit ip 10.9.11.0 255.255.255.0 any
access-group INSIDE in interface inside
I would think this would allow the LAN out but I am no longer able to surf once it's applied. I am new to the PIX, so i am sure it is something simple I am missing.
Thanks
Concrete
01-19-2007 09:21 AM
Hi
Could you clarify. Are you saying that users on the 10.9.11.0/24 network can no longer access the internet or is it the users on other lans.
Remember that there is an implicit deny on the end of any access-list so that access-list you have applied will allow 10.9.11.0/24 users unrestricted access out but will deny any other users getting out at all.
HTH
01-19-2007 10:03 AM
Hi sorry
The problem is that when I add the rule above, I lose all access from my 10.9.11.0/24 network. I was expecting to lose access in other subnets, but I don't know why 10.9.3.11 loses it to. From what I understand the rule should allow 10.9.11.0/24 to do what it wants.
Thanks Concrete
01-19-2007 10:54 AM
10.9.3.11 would not be included in 10.9.11.0/24...maybe a typo on your part
01-19-2007 11:22 AM
Yah sorry, it was a typo. Anywho I figured it out, it tooks a while to clue in that the internal DNS wasn't going to be able to get out with the new rule. So I just had to allow access out for it as well.
Thanks for all your help
Concrete
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide