Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Denying selected inside address to access internet

What is the best way to deny selected inside IP addresses (user PCs) access to the internet router in a PIX 506 ? Thank you

devans

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Denying selected inside address to access internet

Just use an ACL on your inside interface like so (this will stop .100 and .101 hosts from going out):

> access-list outbound deny ip host 192.168.1.100 any

> access-list outbound deny ip host 192.168.1.101 any

> access-list outbound permit ip 192.168.1.0 255.255.255.0 any

> access-group outbound in interface inside

Also, you might want tochange the following:

> global (outside) 1 205.238.220.19-205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

to:

> global (outside) 1 205.238.220.19-205.238.220.21

> global (outside) 1 205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

cause what you have will only allow 4 sessions outbound, which one user may use up going to one web page. The second version will PAT all other connections using the .22 address, which will give you an additional 65,000 or so connections outbound.

7 REPLIES
Gold

Re: Denying selected inside address to access internet

Hi Douglas -

You can use ACL's on the indside interface of your PIX, But can you post your config (making sure that you hide all real IP's / Passwords etc), need to know which version IOS you have running on the PIX as well.

Thanks -

New Member

Re: Denying selected inside address to access internet

Here's my config, feel free to comment if u see any other issues, thanks for your help.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXX encrypted

passwd XXXXXXXXXX encrypted

hostname XXXXXXXXX

domain-name XXXXXXXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 205.238.220.17 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 192.168.1.201 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 205.238.220.19-205.238.220.22

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 205.238.220.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.2 255.255.255.255 inside

http 192.168.1.201 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:XXXXXXXXXXXXXXXXXX

: end

Cisco Employee

Re: Denying selected inside address to access internet

Just use an ACL on your inside interface like so (this will stop .100 and .101 hosts from going out):

> access-list outbound deny ip host 192.168.1.100 any

> access-list outbound deny ip host 192.168.1.101 any

> access-list outbound permit ip 192.168.1.0 255.255.255.0 any

> access-group outbound in interface inside

Also, you might want tochange the following:

> global (outside) 1 205.238.220.19-205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

to:

> global (outside) 1 205.238.220.19-205.238.220.21

> global (outside) 1 205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

cause what you have will only allow 4 sessions outbound, which one user may use up going to one web page. The second version will PAT all other connections using the .22 address, which will give you an additional 65,000 or so connections outbound.

Gold

Re: Denying selected inside address to access internet

Hi Douglas -

Post from Glenn, should sort out your problem -

Good Luck -

New Member

Re: Denying selected inside address to access internet

Thanks for the info. The tip about changing the global config was timely as it cleared up another issue. Thanks again !

dro
New Member

Re: Denying selected inside address to access internet

Just a slight clarification..

"will only allow 4 sessions outbound, which one user may use up going to one web page."

This statement isn't entirely true. When an inside user is assigned an address from the Global pool, they retain control of that address until the xlate times out. So even if they view 100 web pages each with multiple images per page, they will still only use the one IP Address that was initially assigned to them from the pool. If you have more than four unique internal IP Addresses accessing the Internet, then you will definately need the overflow global PAT statement.

Also, another quick way to deny a user access is by using the "shun" command.

ie: "shun 192.168.1.100" will stop that user from sending data through the PIX. The shun command can work for both inside and outside users. It was introduced as a tool to block attacks, but works just as well blocking internal users.

Cheers,

-Joshua

New Member

Re: Denying selected inside address to access internet

Thanks Joshua,

The overflow global PAT statement did in fact solve one of the problems. Is there a benefit to using acl vs the shun command ?

D Evans

107
Views
0
Helpful
7
Replies
CreatePlease to create content