Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Deny Access to the Internet

I am very new to Cisco firewalls(got kinda thrown into it) and I had a request come down the pipe to deny access to the internet for a single internal IP address. My firewall is a PIX 515e. I'm guessing it has to do with the access-list but I don't know if I need to create a group and add that one IP to it or really, even how to go about it. Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Deny Access to the Internet

Andrew

From what you have posted it is difficult to find how the various access lists are applied (how they are being used). But it does seem that you will need another access list. What you want might look something like this:

access-list inside_access_out deny ip host

any

access-list inside_access_out permit ip any any

access-group inside_access_out in interface inside

HTH

Rick

5 REPLIES
Hall of Fame Super Silver

Re: Deny Access to the Internet

Andrew

Yes if you want to deny access for a particular host then you need an access list. If there is an existing access list used for the inside interface you would add another entry to the list which would deny access for that specific host. If there is not an access list used for the inside interface then you would need to create an access list. The first statement in the access list would deny the specific host to 0.0.0.0 and the second statement in the access list would be permit any any. You would then use the access-group statement to assign the access list to the inside interface.

HTH

Rick

New Member

Re: Deny Access to the Internet

There are access lists setup(included partial config). All access lists are shown in the config with the important stuff omitted. The situation is basically:

Said employee has lost all internet/e-mail privileges for now. I disabled their access to the e-mail so that it comes directly to me now for monitoring purposes. As far as internet access goes, I disabled it locally. I knew there should be a nice simple way to disable through the firewall without having to go to the other end of the office building. Being new to the whole CLI with cisco routers, I'm still learning the language.

I understand what you said and it sounds simple enough. What I'm not sure about is how to actually create the list if necessary. Judging by the partial config that I've included it looks to me like I'll need to create a new one.

This is not an urgent matter at this point but I'm guessing something like this could very likely come up again. Please let me know if you need the entire terminal config.

Hall of Fame Super Silver

Re: Deny Access to the Internet

Andrew

From what you have posted it is difficult to find how the various access lists are applied (how they are being used). But it does seem that you will need another access list. What you want might look something like this:

access-list inside_access_out deny ip host

any

access-list inside_access_out permit ip any any

access-group inside_access_out in interface inside

HTH

Rick

New Member

Re: Deny Access to the Internet

Thank you very much indeed. That is exactly what I needed. Implemented, tested and verified.

Hall of Fame Super Silver

Re: Deny Access to the Internet

Andrew

I am glad that my suggestion was what you needed. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read a response that resolved the issue.

I encourage you to continue your participation in the forum.

HTH

Rick

221
Views
5
Helpful
5
Replies
CreatePlease to create content