Paddy, thanks for the reply. Part of the reason I need to do this is to stem the tide of DSL lines being requested. Given the size of our company, the number of lines is out of control, and all the contractors can not be served by one or even a handful... We have the same rules around non-company assets, etc, which is why I am trying to find a secure way to do this. I want these users to be able to get to the Internet, not to anything else. In the solution you propose, would these people be able to get to anything but the firewall? How would I force their traffic to go there? Do you have any config examples?

Thinking about it some more, you would have to have access-lists on all of your production VLAN interfaces blocking any traffic from your guest vlan from being routed into your production vlans, as the order of operations on a router is check access-list first and then route so the access list on vlan999 forcing traffic from the guest vlan to the firewall only, would actually prevent any access to the internet.

To give you an example, say you have production VLAN2 10.2.2.0 /24 and guest VLAN3 10.1.1.0 /24, each have a vlan interface on your MSFC. You could configure an access-list on your MSFC to stop any guest traffic from going to/from production LAN. You should also configure an access-list on VLAN3 permiting guests only to use certain protocols e.g. HTTP and HTTPS

access-list 101 deny ip any 10.1.1.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 10.1.1.0 0.0.255 any

access-list 102 permit ip any any

and then appy the access-lists to the VLAN

interface VLAN2

access-group 102 in

access-group 101 out

access-list 103 permit tcp 10.1.1.0 0.0.0.255 any eq http

access-list 103 permit tcp 10.1.1.0 0.0.0.255 any eq https

interface VLAN3

access-group 101 out

These examples are assuming you have a default route on your MSFC pointing to your PIX firewall. Any http or https traffic from 10.1.1.0 would be routed to the firewall via your default route. If a guest tried to access VLAN2 then they would be blocked and vice versa.

If you have a proxy server then you could force traffic from vlan999 to only talk to the proxy server via an access-list, but you would have to set up each of your guests to use the proxy server when they want to access the internet.

Its a bit messy, you will also need a DHCP server with DNS servers etc.., depending on the location of your DNS server you may have to allow your guest network access to your production network for DNS queries....unless you use your ISPs DNS???

Obviously running non-trusted users on your LAN is not an ideal scenario, but here are 2 possibilities.

1. The above suggestions are close, but I suggest not applying the ACLs in that manner since it will hurt inter-VLAN performance if you apply ACLs on all of your interfaces. You simply need to apply an egress ACL on your new Internet only VLAN similar to the following:

access-list 101 deny ip any 10.0.0.0 0.255.255.255

access-list 101 deny ip any 172.16.0.0 0.240.255.255

access-list 101 deny ip any 192.168.0.0 0.0.255.255

access-list 101 permit ip any any

interface VLAN3

access-group 101 out

As paddy mentioned, be sure to factor in things such as DNS. If you have a DNS server they use, add a permit udp eq dns above the denys. Also, you should add more explicit denys if you use public IPs in your network.

2. If you can get a VLAN to carry across to the PIX and you are running 6.3, you could make the inside interface of the PIX a trunk and give the new VLAN a dedicated virtual interface on the PIX. From there, proceed as normal to allow only outbound traffic. From your initial description I suspect this will not work, but following is a link about VLANs on 6.3 PIXs.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1140519

-Eric

Eric, thanks for the ideas. The problem is, we are using public ip's inside our network. The thought of trying to deny every single subnet in the company is too daunting. I am pursuing another track now. I am thinking that I could build a tunnel from the internet only vlan interface to the PIX. I then would have to source-route all traffic from the internet vlan to go out the MSFC side of the tunnel. This should protect my production network from anyone on this vlan getting to anywhere else in the company.

I was hoping to avoid this, but it looks like my only bet.

Interesting idea. Are you running crypto code on the MSFC? If not, how are you planning on building the tunnel? I'd be curious to hear how this works out.