cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
224
Views
0
Helpful
2
Replies

Denying Internet access with PIX 500 series

pbecker
Level 1
Level 1

I need to deny all Internet access to certain hosts at various locations. We are using PIX 501 and 506 firewalls to create a full VPN mesh between offices. How do I configure access-lists to deny Internet access to only a select number of hosts?

1 Accepted Solution

Accepted Solutions

Patrick Iseli
Level 7
Level 7

Configure an access-list in the inside interface and start with denying the host that you want to block after that add the hosts and protocols that should be able to connect to the Internet.

example:

access-list Internet deny ip host 192.168.1.10 any

access-list Internet deny tcp host 192.168.1.10 any eq 80

access-list Internet permit ip host 192.168.1.20 any

...

Give me a more detailed example !!

You could also work with objects groups to be more specific and group multiple UDP or TCP port s together.

example:

object-group service Web tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list internet deny tcp 10.2.1.0 255.255.255.0 any object-group Web

access-list internet permit tcp host 10.2.1.10 any host object-group Web

access-list internet permit any any

sincerely

Patrick

View solution in original post

2 Replies 2

Patrick Iseli
Level 7
Level 7

Configure an access-list in the inside interface and start with denying the host that you want to block after that add the hosts and protocols that should be able to connect to the Internet.

example:

access-list Internet deny ip host 192.168.1.10 any

access-list Internet deny tcp host 192.168.1.10 any eq 80

access-list Internet permit ip host 192.168.1.20 any

...

Give me a more detailed example !!

You could also work with objects groups to be more specific and group multiple UDP or TCP port s together.

example:

object-group service Web tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list internet deny tcp 10.2.1.0 255.255.255.0 any object-group Web

access-list internet permit tcp host 10.2.1.10 any host object-group Web

access-list internet permit any any

sincerely

Patrick

I knew basic access-list configs on a Cisco router, but I was unsure how to apply them to a PIX. The deny/permit port 80 will do for now, but I can use the object-group config in the future.

Thank you for the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: