Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Denying Internet access with PIX 500 series

I need to deny all Internet access to certain hosts at various locations. We are using PIX 501 and 506 firewalls to create a full VPN mesh between offices. How do I configure access-lists to deny Internet access to only a select number of hosts?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Denying Internet access with PIX 500 series

Configure an access-list in the inside interface and start with denying the host that you want to block after that add the hosts and protocols that should be able to connect to the Internet.

example:

access-list Internet deny ip host 192.168.1.10 any

access-list Internet deny tcp host 192.168.1.10 any eq 80

access-list Internet permit ip host 192.168.1.20 any

...

Give me a more detailed example !!

You could also work with objects groups to be more specific and group multiple UDP or TCP port s together.

example:

object-group service Web tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list internet deny tcp 10.2.1.0 255.255.255.0 any object-group Web

access-list internet permit tcp host 10.2.1.10 any host object-group Web

access-list internet permit any any

sincerely

Patrick

2 REPLIES

Re: Denying Internet access with PIX 500 series

Configure an access-list in the inside interface and start with denying the host that you want to block after that add the hosts and protocols that should be able to connect to the Internet.

example:

access-list Internet deny ip host 192.168.1.10 any

access-list Internet deny tcp host 192.168.1.10 any eq 80

access-list Internet permit ip host 192.168.1.20 any

...

Give me a more detailed example !!

You could also work with objects groups to be more specific and group multiple UDP or TCP port s together.

example:

object-group service Web tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list internet deny tcp 10.2.1.0 255.255.255.0 any object-group Web

access-list internet permit tcp host 10.2.1.10 any host object-group Web

access-list internet permit any any

sincerely

Patrick

New Member

Re: Denying Internet access with PIX 500 series

I knew basic access-list configs on a Cisco router, but I was unsure how to apply them to a PIX. The deny/permit port 80 will do for now, but I can use the object-group config in the future.

Thank you for the help.

102
Views
0
Helpful
2
Replies
CreatePlease to create content