help with access-list

flopez · ‎03-20-2007

I am trying to get a computer to not access the internet using my PIX 506 (6.3(5) version.

I need to prevent computer with ip 192.168.50.5 to not be able to go to the Internet.

Can I do this like this:

access-list acl_in deny tcp 192.168.50.5 255.255.255.0 0 0 eq http

I already have binded this acl_in to the interface.

Thanks in advance. BTW, can I do this with the mac-address too?

Julio,

abinjola · ‎03-20-2007

access-list acl_in deny tcp 192.168.50.5 255.255.255.0 any eq http

access-l acl_in permit tcp any any eq 80

access-l acl_in permit udp any any eq 53

(this will ensure Internet connectivity for rest of the mass)

No you cant do it on the basis of MAC address

jspringfield · ‎03-20-2007

The above looks good except the deny will deny the whole network 192.168.50.0. Try...

access-list acl_in deny tcp host 192.168.50.5 any eq http

or

access-list acl_in deny tcp host 192.168.50.5 255.255.255.255 any eq http

then add...

access-list acl_in permit tcp any any eq 80

access-list acl_in permit udp any any eq 53

if you want to restrict access out bound for http and dns only. You might want to add

access-list acl_in permit tcp any any eq https

(for secure http)

or some people just add this line at the end of the deny list...

access-list acl_in permit ip any any

(to let all traffic out to the internet not previously denied. Not as secure but very common)

acomiskey · ‎03-20-2007

If you just want to prevent http and dns that is great, but if you want to completely prevent everything else you can do on the internet...

access-list acl_in deny ip host 192.168.50.5 any

access-list acl_in permit ip any any

access-group acl_in in interface inside