Block internet access on PIX

Unanswered Question
Jul 17th, 2009


I have a PIX 506E with 6.3(5) version and I would like to know if I can block internet access to certain users and allow access to some users on the same LAN. I have a SBS server on the LAN.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Kureli Sankar Fri, 07/17/2009 - 10:11

You would have to do it individually for the IP addresses that you want to block port 80 and allow the rest. You can use dhcp mac address reservation so, these denied hosts will always get the same ip address.

access-l inside-acl deny tcp host any eq 80


.--> add all the denies


access-l inside-acl permit tcp any any eq 80

access-g inside-acl in int inside

techtips03 Fri, 07/17/2009 - 13:31

Thanks Sankar. When you say dhcp mac reservation, do you mean assigning IP address to MAC on the dhcp server so they can get the same IPs?

Kureli Sankar Fri, 07/17/2009 - 14:58

Exactly. Yes. Reserving an IP address for a MAC address on the dhcp server so, these computers will consistently get the same IP address.

techtips03 Wed, 07/22/2009 - 09:43

Thank you. What if the users move between 2 different locations which are on VPN? If DHCP server is at both locations I think I can still map their MAC to IPs at both locations. But if the remote location is getting DHCP from the main location on the VPN then this setup will not work right?

techtips03 Thu, 07/30/2009 - 13:51

Small change on the above. If I dont add udp, I saw dns issues.

access-l inside-acl deny tcp host any eq 80

access-l inside-acl permit tcp any any

access-l inside-acl permit udp any any

access-g inside-acl in int inside

One option is running AAA and Cut through proxy. The drawback is that it will ask each user to log in. The Pix cannot tell who the user is from the packets. There is no user information in them. The SBS should be able to function as a Radius server and perform the authentication. I would consider the configuration and intermediate level task.


This Discussion