03-20-2007 10:35 AM - edited 03-11-2019 02:49 AM
I am trying to get a computer to not access the internet using my PIX 506 (6.3(5) version.
I need to prevent computer with ip 192.168.50.5 to not be able to go to the Internet.
Can I do this like this:
access-list acl_in deny tcp 192.168.50.5 255.255.255.0 0 0 eq http
I already have binded this acl_in to the interface.
Thanks in advance. BTW, can I do this with the mac-address too?
Julio,
03-20-2007 10:43 AM
access-list acl_in deny tcp 192.168.50.5 255.255.255.0 any eq http
access-l acl_in permit tcp any any eq 80
access-l acl_in permit udp any any eq 53
(this will ensure Internet connectivity for rest of the mass)
No you cant do it on the basis of MAC address
03-20-2007 11:13 AM
The above looks good except the deny will deny the whole network 192.168.50.0. Try...
access-list acl_in deny tcp host 192.168.50.5 any eq http
or
access-list acl_in deny tcp host 192.168.50.5 255.255.255.255 any eq http
then add...
access-list acl_in permit tcp any any eq 80
access-list acl_in permit udp any any eq 53
if you want to restrict access out bound for http and dns only. You might want to add
access-list acl_in permit tcp any any eq https
(for secure http)
or some people just add this line at the end of the deny list...
access-list acl_in permit ip any any
(to let all traffic out to the internet not previously denied. Not as secure but very common)
03-20-2007 11:14 AM
If you just want to prevent http and dns that is great, but if you want to completely prevent everything else you can do on the internet...
access-list acl_in deny ip host 192.168.50.5 any
access-list acl_in permit ip any any
access-group acl_in in interface inside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: