Block Internal IP address from all outside access

Answered Question
Jun 11th, 2007

Hi all I am new to the PIX.

How can I block an Internal IP Address from ALL outside access?

And then enable access again, if it is needed?

Thanks,

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 5 months ago

"Thanks that worked, how can I delete/rename the access list I just recreated?"

no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside

One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 06/11/2007 - 08:10

Are you asking to prevent internal from going outside or outside user accessing internal ip?

It sounds like you want to block an ip from going out since traffic from outside to inside would be denied by default. So, if this is the case you can add an inside acl to the pix...

access-list inside deny ip host 192.168.1.10 any

access-list inside permit ip any any

access-group inside in interface inside

192.168.1.10=ip you are trying to block

inside=name of inside interface

To allow access again, just do...

no access-group inside in interface inside

cadstillo Mon, 06/11/2007 - 08:38

Thanks that worked, how can I delete/rename the access list I just recreated?

Correct Answer
acomiskey Mon, 06/11/2007 - 09:35

"Thanks that worked, how can I delete/rename the access list I just recreated?"

no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside

One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

cadstillo Mon, 06/11/2007 - 09:41

Thank you for pointing that out.

Thanks for showing me how to delete and rename, that makes sense.

JORGE RODRIGUEZ Mon, 06/11/2007 - 08:23

Hi, if you have a global NAT Pool for internet or outbound connections you could add the PC host in your inside interface of the pix , for the outside interface don't give the PC global dynamic pool. so this way it will not translate when going outside.

for example: we'll use 192.168.14.44 as the PC-hots

give the PC static NAT for all the interfaces.

name 192.168.14.44 test-pc

pdm location 192.168.14.44 255.255.255.255 inside

nat (inside) 0 192.168.14.44 255.255.255.255 0 0

static (inside,outside) 192.168.14.44 192.168.14.44 netmask 255.255.255.255 0 0

or

name 192.168.14.44 test

pdm location 192.168.14.44 255.255.255.255 inside

nat (inside) 0 192.168.14.44 255.255.255.255 0 0

to enable access then add the PC to the global NAT pool for outside, usually your public IP pool range or PAT address for the outside interface.

HTH

Jorge

Actions

This Discussion