10-24-2007 09:57 AM - edited 03-11-2019 04:30 AM
I posted this on the 501 help but I am not 15 posts in and still no help so I am re-posting.
I have a several devices that I am using from my pix. However I can't seem to prevent HTTP access to a Spcific Public IP Address. This is what I have.
name P.P.P.P Outside ** Public IP Address
object-group network Tac
network-object host X.X.X.X
network-object host X.X.X.X
network-object host X.X.X.X
access-list outside_in permit tcp object-group Tac host Outside eq www
access-list outside_in permit tcp object-group Tac host Outside eq htt
ps
access-list outside_in permit tcp object-group Tac host Outside eq tel
net
access-list outside_in permit tcp object-group Tac host Outside eq ssh
static (inside,outside) Outside Inside netmask 255.255.255.255 0 0
** I do not want HTTP Access to this Public Device.
Thanks
Gabrielle
10-24-2007 10:00 AM
So what you are saying is you can access P.P.P.P/http from ip addresses other than those defined in object-group Tac?
Also, how are you testing this? Are you coming from outside the pix or from the inside?
10-24-2007 12:03 PM
From the outside of the pix.
10-26-2007 02:17 AM
i assume the access-list outside_in is applied on the outside interface on inwards direction. And you have a server which is reachable from internet on port 80.
If you do not want to permit port 80 access apart from Tac add a deny entry towards this public IP from any source.
access-list outside_in extended deny tcp any host Outside eq 80
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: