Re: Inernet Access - Urgent

ciscobuddy · ‎02-23-2005

Hi Guys,

I want to restrict the Internet access for one of my VLAN of my PIX-520 firewall. my VLAN subnet is 192.168.4.0 /24.

please tell me the command for the above.

Thanks & Regards,

Ciscobuddy

sachinraja · ‎02-23-2005

Hi ciscobuddy,

Do not do NAT for 192.168.4.0/24.. this will stop the internet access for that segement.. just see if this network is added in the following statement:

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.4.0 255.255.255.0

remove the second statement and browsing will not happen for 4.0/24

hope this helps..

Raj

ciscobuddy · ‎02-23-2005

hi raj,

Thanks for ur reply, and sorry for incomplete info from my side. actually for 192.168.4.0 /24 subnet internet is access threw proxy and i hv MS proxy. and i hv created vlan for all the process. so i think i hv to restrice the internet accesx threw PIX or i have to configure access list on my CORE switch.

pls guide me for the same

Thanks & Regards,

Ciscobuddy

sachinraja · ‎02-23-2005

Hi cisco buddy,

In this case, you have to restrict on the core switch.. just put VLAN ACLs and restrict access to 192.168.4.0/24

for eg..

interface vlan 100

ip address 192.168.4.1 255.255.255.0

ip access-group 100 in

access-list 100 deny tcp 192.168.4.0 0.0.0.255 any eq http

access-list 100 permit 192.168.4.0 0.0.0.255 any

this will deny port 80 traffic from 192.68.4.0/24 and allow all others.. you can manipulate this access-list to allow anything that the 4.0/24 segment needs access to..

hope this helps..

Raj

michael.arthur · ‎02-25-2005

That ACL will also disallow access to intranet web apps, which could be a potentially career limiting maneuver. If there are internal/intranet web sites that users on the 192.168.4.0 /24 subnet need to access and the ACL is applied to the router i/f, you'll need to precede the deny statements with permissions to any/all internal subnets/hosts.

Best of luck.