PIX ACL issue - Deny Internal Access to External Network
We are in the process of adding a wireless network to the existing LAN. The requirement is that wireless clients have access to the internet, and occasionally access to the internal webserver. But, at no time should wireless clients be able to access anything on the internal LAN.
So any ACL that blocks out the LAN network would of course block out the gateway, at least that is what has seemed to happen. Here is how the networks are configured:
PIX506 (1) (63.xx.xx.xxx - 192.168.2.1) Primary business LAN
192.168.3.1 is the inside interface to the PIX connected to the wireless network.
I have applied that configuration, except it does not accept subnet 0.0.0.255. If I switch that to 255.255.255.0 the command is entered. At the moment I do have internet access, but I can also access a machine on the internal network, I just go to explorer and do \\192.168.2.5 and can open of that machines shares.
But now I have the following:
access-list inside_access_in permit ip any host 192.168.2.1
access-list inside_access_in permit ip any host 192.168.2.123
access-list inside_access_in deny ip any 192.168.2.0 255.255.255.0
access-list inside_access_in permit ip any any
At the moment I do not have "nat (inside) 0 access-list inside_access_in" and everything seems to work fine. I can access the internet, access the machine at 192.168.2.123, but can not see or access any other device on the 2.0/24 network which is exactly how I want it.
Mind you I have this set up at the moment at home. Now I just have to switch from DHCP to static on the outside interface and switch from PAT to NAT. I am going to need to be able to access several devices from withing the 2.0/24 network to inside the firewall's 3.0/24 network (wireless controller, etc..) I assume then that this should not cause a problem as the access list was the key to my problems and not anything to do with NAT or PAT, or anything else?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :