PIX 501 used to block part of subnet

Unanswered Question
Apr 20th, 2007

I have a PIX 501 with a single inside network of 192.168.0.1/24. I need to block all IPs above .128 from getting outside.


My question is this -- should I configure two internal networks of 192.168.0.0/25 and 192.168.0.129/25? Or, can I leave the single network of 192.168.0.0/24 and just implement a rule to Deny outbound from inside 192.168.0.129 255.255.255.128 ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Sat, 04/21/2007 - 05:43

Hi


No need to renumber your internal LAN.


As you say you can just use the second half of the subnet in the access-list on the pix ie.


access-list deny ip 192.168.0.128 255.255.255.128 any

access-list permit ip 192.168.0.0 255.255.255.128 any


HTH


Jon

Actions

This Discussion