Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 525 Block HTTP Access to Certain Subnets

I am having trouble blocking HTTP/HTTPS access to just certain subnets within my network. The following is what I have tried and it doesn't seem to work.

access-list acl_insideint permit tcp object-group Servers object-group WebProtocols any

access-list acl_insideint deny tcp any object-group WebProtocols any

access-list acl_insideint permit ip any any

The Servers group contains the following:

object-group network Servers

description All subnets that contain servers

network-object 172.20.1.0 255.255.255.0

network-object 172.24.0.0 255.255.0.0

network-object 172.22.0.0 255.255.0.0

network-object 172.23.7.0 255.255.255.0

network-object 172.27.1.0 255.255.255.0

network-object 172.26.0.0 255.255.0.0

network-object 172.20.40.0 255.255.255.0

The Web Ports group contains just HTTP and HTTPS.

I put these rules in and then try to browse with 172.20.45.60 and browsing still works....

2 REPLIES

Re: PIX 525 Block HTTP Access to Certain Subnets

The 'WebProtocols' group is your service group? If so, you have specified it in the destination address portion of the ACE instead of the destination services portion. I believe the ACL's should read:

access-list acl_insideint permit tcp object-group Servers any object-group WebProtocols

access-list acl_insideint deny tcp any any object-group WebProtocols

I would also strongly recommend removal/revision of the permit ip any any statement at the bottom of the ACL.

Hope this helps.

New Member

Re: PIX 525 Block HTTP Access to Certain Subnets

Thanks for the help!

That did it.

249
Views
5
Helpful
2
Replies
CreatePlease to create content