Block Internal IP address from all outside access

Answered Question
Jun 11th, 2007
User Badges:

Hi all I am new to the PIX.


How can I block an Internal IP Address from ALL outside access?


And then enable access again, if it is needed?


Thanks,

Correct Answer by acomiskey about 10 years 1 month ago

"Thanks that worked, how can I delete/rename the access list I just recreated?"


no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside


One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 06/11/2007 - 08:10
User Badges:
  • Green, 3000 points or more

Are you asking to prevent internal from going outside or outside user accessing internal ip?


It sounds like you want to block an ip from going out since traffic from outside to inside would be denied by default. So, if this is the case you can add an inside acl to the pix...


access-list inside deny ip host 192.168.1.10 any

access-list inside permit ip any any

access-group inside in interface inside


192.168.1.10=ip you are trying to block

inside=name of inside interface


To allow access again, just do...


no access-group inside in interface inside


cadstillo Mon, 06/11/2007 - 08:38
User Badges:

Thanks that worked, how can I delete/rename the access list I just recreated?

Correct Answer
acomiskey Mon, 06/11/2007 - 09:35
User Badges:
  • Green, 3000 points or more

"Thanks that worked, how can I delete/rename the access list I just recreated?"


no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside


One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

cadstillo Mon, 06/11/2007 - 09:41
User Badges:

Thank you for pointing that out.


Thanks for showing me how to delete and rename, that makes sense.

JORGE RODRIGUEZ Mon, 06/11/2007 - 08:23
User Badges:
  • Green, 3000 points or more

Hi, if you have a global NAT Pool for internet or outbound connections you could add the PC host in your inside interface of the pix , for the outside interface don't give the PC global dynamic pool. so this way it will not translate when going outside.


for example: we'll use 192.168.14.44 as the PC-hots



give the PC static NAT for all the interfaces.

name 192.168.14.44 test-pc

pdm location 192.168.14.44 255.255.255.255 inside

nat (inside) 0 192.168.14.44 255.255.255.255 0 0

static (inside,outside) 192.168.14.44 192.168.14.44 netmask 255.255.255.255 0 0



or


name 192.168.14.44 test

pdm location 192.168.14.44 255.255.255.255 inside


nat (inside) 0 192.168.14.44 255.255.255.255 0 0



to enable access then add the PC to the global NAT pool for outside, usually your public IP pool range or PAT address for the outside interface.


HTH


Jorge


cadstillo Mon, 06/11/2007 - 09:19
User Badges:

That is interesting. I will look into doing that.

Actions

This Discussion