Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
4
Replies

Restricting LAN Internet Acess

Concrete_
Level 1
Level 1

‎01-19-2007 08:39 AM - edited ‎03-11-2019 02:22 AM

Hi There,

My set up is bassically

internet-router-PIX-router-switch

off the switch I have multiple LANS

of which I only want one segment to be able to get out totaly unrestricted.

With the basic implied rule I can get out to the internet fien and dandy. But when i try to restrict it to one LAN I lose my ability to surf.

The ACL I am trying to use is.

access-list INSIDE permit ip 10.9.11.0 255.255.255.0 any

access-group INSIDE in interface inside

I would think this would allow the LAN out but I am no longer able to surf once it's applied. I am new to the PIX, so i am sure it is something simple I am missing.

Thanks

Concrete

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-19-2007 09:21 AM

Hi

Could you clarify. Are you saying that users on the 10.9.11.0/24 network can no longer access the internet or is it the users on other lans.

Remember that there is an implicit deny on the end of any access-list so that access-list you have applied will allow 10.9.11.0/24 users unrestricted access out but will deny any other users getting out at all.

HTH

0 Helpful

Concrete_
Level 1
Level 1
In response to Jon Marshall

‎01-19-2007 10:03 AM

Hi sorry

The problem is that when I add the rule above, I lose all access from my 10.9.11.0/24 network. I was expecting to lose access in other subnets, but I don't know why 10.9.3.11 loses it to. From what I understand the rule should allow 10.9.11.0/24 to do what it wants.

Thanks Concrete

0 Helpful

acomiskey
Level 10
Level 10
In response to Concrete_

‎01-19-2007 10:54 AM

10.9.3.11 would not be included in 10.9.11.0/24...maybe a typo on your part

0 Helpful

Concrete_
Level 1
Level 1
In response to acomiskey

‎01-19-2007 11:22 AM

Yah sorry, it was a typo. Anywho I figured it out, it tooks a while to clue in that the internal DNS wasn't going to be able to get out with the new rule. So I just had to allow access out for it as well.

Thanks for all your help

Concrete

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card