Restricting Access to Internet only

Unanswered Question
Apr 18th, 2006
User Badges:

I have approximately 11 hosts on my network that are only required to have Internet access and nothing else. I was wondering what the simplest soultion would be to implement. I have a WAN with 2600 series routers. Internet traffic goes through a PIX 515UR connected to a Cisco 3640. Is it best to implement on local router or Internet router?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 04/19/2006 - 13:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Gene


If I understand your post correctly you have some devices that you want to have Internet access but not access to local resources. If this is a correct understanding then I think the optimum solution is to create an access list on the interface on which they connect which will deny packets with their source address with local destination addresses and will permit their source address to access remote/Internet destinations.


If you put the filter further away, then there is opportunity for their packets to be routed to local destinations before they get to where the filter is implemented.


HTH


Rick

Fernando_Meza Wed, 04/19/2006 - 20:38
User Badges:
  • Gold, 750 points or more

I suggest to control the access at the PIX internal interface to centralise control. On your pix add the below commands.


nat (inside) 1 access-list Internet-Access

global (outside) 1 interface


access-list Internet-Access permit tcp x.x.x.x 255.255.255.0 any eq 80


This will allow outgoing Internet access for your local users and will stop everything else.


Note: If you have an access list applied to the inside interface then make sure you allowed outgoing access to Internet as well i.e


access-list inside-out permit tcp x.x.x.x 255.255.255.0 any eq 80




Actions

This Discussion