01-19-2007 08:39 AM - edited 03-11-2019 02:22 AM
Hi There,
My set up is bassically
internet-router-PIX-router-switch
off the switch I have multiple LANS
of which I only want one segment to be able to get out totaly unrestricted.
With the basic implied rule I can get out to the internet fien and dandy. But when i try to restrict it to one LAN I lose my ability to surf.
The ACL I am trying to use is.
access-list INSIDE permit ip 10.9.11.0 255.255.255.0 any
access-group INSIDE in interface inside
I would think this would allow the LAN out but I am no longer able to surf once it's applied. I am new to the PIX, so i am sure it is something simple I am missing.
Thanks
Concrete
01-19-2007 09:21 AM
Hi
Could you clarify. Are you saying that users on the 10.9.11.0/24 network can no longer access the internet or is it the users on other lans.
Remember that there is an implicit deny on the end of any access-list so that access-list you have applied will allow 10.9.11.0/24 users unrestricted access out but will deny any other users getting out at all.
HTH
01-19-2007 10:03 AM
Hi sorry
The problem is that when I add the rule above, I lose all access from my 10.9.11.0/24 network. I was expecting to lose access in other subnets, but I don't know why 10.9.3.11 loses it to. From what I understand the rule should allow 10.9.11.0/24 to do what it wants.
Thanks Concrete
01-19-2007 10:54 AM
10.9.3.11 would not be included in 10.9.11.0/24...maybe a typo on your part
01-19-2007 11:22 AM
Yah sorry, it was a typo. Anywho I figured it out, it tooks a while to clue in that the internal DNS wasn't going to be able to get out with the new rule. So I just had to allow access out for it as well.
Thanks for all your help
Concrete
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: