Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block Internal IP address from all outside access

Hi all I am new to the PIX.

How can I block an Internal IP Address from ALL outside access?

And then enable access again, if it is needed?

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Block Internal IP address from all outside access

"Thanks that worked, how can I delete/rename the access list I just recreated?"

no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside

One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

6 REPLIES
Green

Re: Block Internal IP address from all outside access

Are you asking to prevent internal from going outside or outside user accessing internal ip?

It sounds like you want to block an ip from going out since traffic from outside to inside would be denied by default. So, if this is the case you can add an inside acl to the pix...

access-list inside deny ip host 192.168.1.10 any

access-list inside permit ip any any

access-group inside in interface inside

192.168.1.10=ip you are trying to block

inside=name of inside interface

To allow access again, just do...

no access-group inside in interface inside

New Member

Re: Block Internal IP address from all outside access

Thanks that worked, how can I delete/rename the access list I just recreated?

Green

Re: Block Internal IP address from all outside access

"Thanks that worked, how can I delete/rename the access list I just recreated?"

no access-list inside deny ip host 192.168.1.10 any

no access-list inside permit ip any any

access-list deny ip host 192.168.1.10 any

access-list permit ip any any

access-group in interface inside

One comment to the other recommendation, this would work as long as the client required nat/pat to get outside. He would still be allowed across vpn tunnels for example. Also, technically it is not denying him from going outside either, it is just not allowing the destination to route back to him.

New Member

Re: Block Internal IP address from all outside access

Thank you for pointing that out.

Thanks for showing me how to delete and rename, that makes sense.

Re: Block Internal IP address from all outside access

Hi, if you have a global NAT Pool for internet or outbound connections you could add the PC host in your inside interface of the pix , for the outside interface don't give the PC global dynamic pool. so this way it will not translate when going outside.

for example: we'll use 192.168.14.44 as the PC-hots

give the PC static NAT for all the interfaces.

name 192.168.14.44 test-pc

pdm location 192.168.14.44 255.255.255.255 inside

nat (inside) 0 192.168.14.44 255.255.255.255 0 0

static (inside,outside) 192.168.14.44 192.168.14.44 netmask 255.255.255.255 0 0

or

name 192.168.14.44 test

pdm location 192.168.14.44 255.255.255.255 inside

nat (inside) 0 192.168.14.44 255.255.255.255 0 0

to enable access then add the PC to the global NAT pool for outside, usually your public IP pool range or PAT address for the outside interface.

HTH

Jorge

New Member

Re: Block Internal IP address from all outside access

That is interesting. I will look into doing that.

779
Views
0
Helpful
6
Replies