cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
559
Views
5
Helpful
5
Replies

Deny Access to the Internet

andy
Level 1
Level 1

I am very new to Cisco firewalls(got kinda thrown into it) and I had a request come down the pipe to deny access to the internet for a single internal IP address. My firewall is a PIX 515e. I'm guessing it has to do with the access-list but I don't know if I need to create a group and add that one IP to it or really, even how to go about it. Any help would be appreciated.

1 Accepted Solution

Accepted Solutions

Andrew

From what you have posted it is difficult to find how the various access lists are applied (how they are being used). But it does seem that you will need another access list. What you want might look something like this:

access-list inside_access_out deny ip host

any

access-list inside_access_out permit ip any any

access-group inside_access_out in interface inside

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Andrew

Yes if you want to deny access for a particular host then you need an access list. If there is an existing access list used for the inside interface you would add another entry to the list which would deny access for that specific host. If there is not an access list used for the inside interface then you would need to create an access list. The first statement in the access list would deny the specific host to 0.0.0.0 and the second statement in the access list would be permit any any. You would then use the access-group statement to assign the access list to the inside interface.

HTH

Rick

HTH

Rick

There are access lists setup(included partial config). All access lists are shown in the config with the important stuff omitted. The situation is basically:

Said employee has lost all internet/e-mail privileges for now. I disabled their access to the e-mail so that it comes directly to me now for monitoring purposes. As far as internet access goes, I disabled it locally. I knew there should be a nice simple way to disable through the firewall without having to go to the other end of the office building. Being new to the whole CLI with cisco routers, I'm still learning the language.

I understand what you said and it sounds simple enough. What I'm not sure about is how to actually create the list if necessary. Judging by the partial config that I've included it looks to me like I'll need to create a new one.

This is not an urgent matter at this point but I'm guessing something like this could very likely come up again. Please let me know if you need the entire terminal config.

Andrew

From what you have posted it is difficult to find how the various access lists are applied (how they are being used). But it does seem that you will need another access list. What you want might look something like this:

access-list inside_access_out deny ip host

any

access-list inside_access_out permit ip any any

access-group inside_access_out in interface inside

HTH

Rick

HTH

Rick

Thank you very much indeed. That is exactly what I needed. Implemented, tested and verified.

Andrew

I am glad that my suggestion was what you needed. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read a response that resolved the issue.

I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: