help with access-list

Unanswered Question

I am trying to get a computer to not access the internet using my PIX 506 (6.3(5) version.

I need to prevent computer with ip 192.168.50.5 to not be able to go to the Internet.

Can I do this like this:

access-list acl_in deny tcp 192.168.50.5 255.255.255.0 0 0 eq http

I already have binded this acl_in to the interface.

Thanks in advance. BTW, can I do this with the mac-address too?

Julio,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
abinjola Tue, 03/20/2007 - 10:43

access-list acl_in deny tcp 192.168.50.5 255.255.255.0 any eq http

access-l acl_in permit tcp any any eq 80

access-l acl_in permit udp any any eq 53

(this will ensure Internet connectivity for rest of the mass)

No you cant do it on the basis of MAC address

The above looks good except the deny will deny the whole network 192.168.50.0. Try...

access-list acl_in deny tcp host 192.168.50.5 any eq http

or

access-list acl_in deny tcp host 192.168.50.5 255.255.255.255 any eq http

then add...

access-list acl_in permit tcp any any eq 80

access-list acl_in permit udp any any eq 53

if you want to restrict access out bound for http and dns only. You might want to add

access-list acl_in permit tcp any any eq https

(for secure http)

or some people just add this line at the end of the deny list...

access-list acl_in permit ip any any

(to let all traffic out to the internet not previously denied. Not as secure but very common)

acomiskey Tue, 03/20/2007 - 11:14

If you just want to prevent http and dns that is great, but if you want to completely prevent everything else you can do on the internet...

access-list acl_in deny ip host 192.168.50.5 any

access-list acl_in permit ip any any

access-group acl_in in interface inside

Actions

This Discussion