PIX ACL internal - deny network/allow www server

Unanswered Question
Jun 4th, 2007

I am going to be adding a second network (wireless) that needs to be isolated from the primary network except for one server (www). Currently the wireless is on a second VLAN, that while permitting internet access does not of course allow access to the web server on the main LAN.

What I would like to do is use a PIX506 to place in between the two networks, and allow the wireless network internet access as well as access to this one specific web server, ideally just the http only.

So I am thinking I would need to create inbound and outbound ACLs. So therefore I would need to make an ACL deny the network, while allowing www access to

Basically wireless clients need to access the internet, and this webserver, but NOT see anything else on the main network.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 06/04/2007 - 08:53

Something like this?

access-list inside permit tcp any host eq www

access-list inside deny ip any

access-list inside permit ip any any

access-group inside in interface inside

Jon Marshall Mon, 06/04/2007 - 08:57


Assuming wireless LAN is you

would need the following

access-list restrict permit tcp host eq www

access-list restrict deny ip any

access-list restrict permit ip any

Apply this on the interface connected to the network ie the wireless network in an inbound direction.




This Discussion