cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3584
Views
0
Helpful
6
Replies

Block Internal IP address from all outside access

cadstillo
Level 1
Level 1

Hi all I am new to the PIX.

How can I block an Internal IP Address from ALL outside access?

And then enable access again, if it is needed?

Thanks,

1 Accepted Solution

Accepted Solutions

"Thanks that worked, how can I delete/rename the access list I just recreated?"

no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside

One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

View solution in original post

6 Replies 6

acomiskey
Level 10
Level 10

Are you asking to prevent internal from going outside or outside user accessing internal ip?

It sounds like you want to block an ip from going out since traffic from outside to inside would be denied by default. So, if this is the case you can add an inside acl to the pix...

access-list inside deny ip host 192.168.1.10 any

access-list inside permit ip any any

access-group inside in interface inside

192.168.1.10=ip you are trying to block

inside=name of inside interface

To allow access again, just do...

no access-group inside in interface inside

Thanks that worked, how can I delete/rename the access list I just recreated?

"Thanks that worked, how can I delete/rename the access list I just recreated?"

no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside

One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

Thank you for pointing that out.

Thanks for showing me how to delete and rename, that makes sense.

JORGE RODRIGUEZ
Level 10
Level 10

Hi, if you have a global NAT Pool for internet or outbound connections you could add the PC host in your inside interface of the pix , for the outside interface don't give the PC global dynamic pool. so this way it will not translate when going outside.

for example: we'll use 192.168.14.44 as the PC-hots

give the PC static NAT for all the interfaces.

name 192.168.14.44 test-pc

pdm location 192.168.14.44 255.255.255.255 inside

nat (inside) 0 192.168.14.44 255.255.255.255 0 0

static (inside,outside) 192.168.14.44 192.168.14.44 netmask 255.255.255.255 0 0

or

name 192.168.14.44 test

pdm location 192.168.14.44 255.255.255.255 inside

nat (inside) 0 192.168.14.44 255.255.255.255 0 0

to enable access then add the PC to the global NAT pool for outside, usually your public IP pool range or PAT address for the outside interface.

HTH

Jorge

Jorge Rodriguez

That is interesting. I will look into doing that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: