Re: Restricting Access to Internet only

gbarden · ‎04-18-2006

I have approximately 11 hosts on my network that are only required to have Internet access and nothing else. I was wondering what the simplest soultion would be to implement. I have a WAN with 2600 series routers. Internet traffic goes through a PIX 515UR connected to a Cisco 3640. Is it best to implement on local router or Internet router?

Richard Burts · ‎04-19-2006

Gene

If I understand your post correctly you have some devices that you want to have Internet access but not access to local resources. If this is a correct understanding then I think the optimum solution is to create an access list on the interface on which they connect which will deny packets with their source address with local destination addresses and will permit their source address to access remote/Internet destinations.

If you put the filter further away, then there is opportunity for their packets to be routed to local destinations before they get to where the filter is implemented.

HTH

Rick

HTH

Rick

Fernando_Meza · ‎04-19-2006

I suggest to control the access at the PIX internal interface to centralise control. On your pix add the below commands.

nat (inside) 1 access-list Internet-Access

global (outside) 1 interface

access-list Internet-Access permit tcp x.x.x.x 255.255.255.0 any eq 80

This will allow outgoing Internet access for your local users and will stop everything else.

Note: If you have an access list applied to the inside interface then make sure you allowed outgoing access to Internet as well i.e

access-list inside-out permit tcp x.x.x.x 255.255.255.0 any eq 80