06-11-2007 08:06 AM - edited 03-11-2019 03:27 AM
Hi all I am new to the PIX.
How can I block an Internal IP Address from ALL outside access?
And then enable access again, if it is needed?
Thanks,
Solved! Go to Solution.
06-11-2007 09:35 AM
"Thanks that worked, how can I delete/rename the access list I just recreated?"
no access-list inside deny ip host 192.168.1.10 any
no access-list inside permit ip any any
access-list
access-list
access-group
One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.
06-11-2007 08:10 AM
Are you asking to prevent internal from going outside or outside user accessing internal ip?
It sounds like you want to block an ip from going out since traffic from outside to inside would be denied by default. So, if this is the case you can add an inside acl to the pix...
access-list inside deny ip host 192.168.1.10 any
access-list inside permit ip any any
access-group inside in interface inside
192.168.1.10=ip you are trying to block
inside=name of inside interface
To allow access again, just do...
no access-group inside in interface inside
06-11-2007 08:38 AM
Thanks that worked, how can I delete/rename the access list I just recreated?
06-11-2007 09:35 AM
"Thanks that worked, how can I delete/rename the access list I just recreated?"
no access-list inside deny ip host 192.168.1.10 any
no access-list inside permit ip any any
access-list
access-list
access-group
One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.
06-11-2007 09:41 AM
Thank you for pointing that out.
Thanks for showing me how to delete and rename, that makes sense.
06-11-2007 08:23 AM
Hi, if you have a global NAT Pool for internet or outbound connections you could add the PC host in your inside interface of the pix , for the outside interface don't give the PC global dynamic pool. so this way it will not translate when going outside.
for example: we'll use 192.168.14.44 as the PC-hots
give the PC static NAT for all the interfaces.
name 192.168.14.44 test-pc
pdm location 192.168.14.44 255.255.255.255 inside
nat (inside) 0 192.168.14.44 255.255.255.255 0 0
static (inside,outside) 192.168.14.44 192.168.14.44 netmask 255.255.255.255 0 0
or
name 192.168.14.44 test
pdm location 192.168.14.44 255.255.255.255 inside
nat (inside) 0 192.168.14.44 255.255.255.255 0 0
to enable access then add the PC to the global NAT pool for outside, usually your public IP pool range or PAT address for the outside interface.
HTH
Jorge
06-11-2007 09:19 AM
That is interesting. I will look into doing that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide