10-25-2007 05:59 AM - edited 03-09-2019 07:05 PM
I am very new to Cisco firewalls(got kinda thrown into it) and I had a request come down the pipe to deny access to the internet for a single internal IP address. My firewall is a PIX 515e. I'm guessing it has to do with the access-list but I don't know if I need to create a group and add that one IP to it or really, even how to go about it. Any help would be appreciated.
Solved! Go to Solution.
10-25-2007 09:12 AM
Andrew
From what you have posted it is difficult to find how the various access lists are applied (how they are being used). But it does seem that you will need another access list. What you want might look something like this:
access-list inside_access_out deny ip host
anyaccess-list inside_access_out permit ip any any
access-group inside_access_out in interface inside
HTH
Rick
10-25-2007 08:27 AM
Andrew
Yes if you want to deny access for a particular host then you need an access list. If there is an existing access list used for the inside interface you would add another entry to the list which would deny access for that specific host. If there is not an access list used for the inside interface then you would need to create an access list. The first statement in the access list would deny the specific host to 0.0.0.0 and the second statement in the access list would be permit any any. You would then use the access-group statement to assign the access list to the inside interface.
HTH
Rick
10-25-2007 09:03 AM
There are access lists setup(included partial config). All access lists are shown in the config with the important stuff omitted. The situation is basically:
Said employee has lost all internet/e-mail privileges for now. I disabled their access to the e-mail so that it comes directly to me now for monitoring purposes. As far as internet access goes, I disabled it locally. I knew there should be a nice simple way to disable through the firewall without having to go to the other end of the office building. Being new to the whole CLI with cisco routers, I'm still learning the language.
I understand what you said and it sounds simple enough. What I'm not sure about is how to actually create the list if necessary. Judging by the partial config that I've included it looks to me like I'll need to create a new one.
This is not an urgent matter at this point but I'm guessing something like this could very likely come up again. Please let me know if you need the entire terminal config.
10-25-2007 09:12 AM
Andrew
From what you have posted it is difficult to find how the various access lists are applied (how they are being used). But it does seem that you will need another access list. What you want might look something like this:
access-list inside_access_out deny ip host
anyaccess-list inside_access_out permit ip any any
access-group inside_access_out in interface inside
HTH
Rick
10-25-2007 11:23 AM
Thank you very much indeed. That is exactly what I needed. Implemented, tested and verified.
10-25-2007 11:42 AM
Andrew
I am glad that my suggestion was what you needed. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read a response that resolved the issue.
I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide