07-17-2009 08:12 AM - edited 03-11-2019 08:56 AM
Hello
I have a PIX 506E with 6.3(5) version and I would like to know if I can block internet access to certain users and allow access to some users on the same LAN. I have a SBS server on the LAN.
Thank you
07-17-2009 08:40 AM
do you have static IP addresses or DHCP on the LAN?
07-17-2009 09:23 AM
07-17-2009 09:38 AM
I have DHCP on the LAN
07-17-2009 10:11 AM
You would have to do it individually for the IP addresses that you want to block port 80 and allow the rest. You can use dhcp mac address reservation so, these denied hosts will always get the same ip address.
access-l inside-acl deny tcp host 10.10.10.1 any eq 80
.
.--> add all the denies
.
access-l inside-acl permit tcp any any eq 80
access-g inside-acl in int inside
07-17-2009 01:31 PM
Thanks Sankar. When you say dhcp mac reservation, do you mean assigning IP address to MAC on the dhcp server so they can get the same IPs?
07-17-2009 02:58 PM
Exactly. Yes. Reserving an IP address for a MAC address on the dhcp server so, these computers will consistently get the same IP address.
07-22-2009 09:43 AM
Thank you. What if the users move between 2 different locations which are on VPN? If DHCP server is at both locations I think I can still map their MAC to IPs at both locations. But if the remote location is getting DHCP from the main location on the VPN then this setup will not work right?
07-22-2009 10:22 AM
if they move with the machines - you have an issues. The you need to think about proxy cut-thru and a radius server to authenticate users.
HTH>
07-30-2009 01:51 PM
Small change on the above. If I dont add udp, I saw dns issues.
access-l inside-acl deny tcp host 10.10.10.1 any eq 80
access-l inside-acl permit tcp any any
access-l inside-acl permit udp any any
access-g inside-acl in int inside
07-17-2009 05:53 PM
One option is running AAA and Cut through proxy. The drawback is that it will ask each user to log in. The Pix cannot tell who the user is from the packets. There is no user information in them. The SBS should be able to function as a Radius server and perform the authentication. I would consider the configuration and intermediate level task.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: