06-02-2003 10:20 AM - edited 03-09-2019 03:30 AM
What is the best way to deny selected inside IP addresses (user PCs) access to the internet router in a PIX 506 ? Thank you
devans
Solved! Go to Solution.
06-02-2003 03:53 PM
Just use an ACL on your inside interface like so (this will stop .100 and .101 hosts from going out):
> access-list outbound deny ip host 192.168.1.100 any
> access-list outbound deny ip host 192.168.1.101 any
> access-list outbound permit ip 192.168.1.0 255.255.255.0 any
> access-group outbound in interface inside
Also, you might want tochange the following:
> global (outside) 1 205.238.220.19-205.238.220.22
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
to:
> global (outside) 1 205.238.220.19-205.238.220.21
> global (outside) 1 205.238.220.22
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
cause what you have will only allow 4 sessions outbound, which one user may use up going to one web page. The second version will PAT all other connections using the .22 address, which will give you an additional 65,000 or so connections outbound.
06-02-2003 10:54 AM
Hi Douglas -
You can use ACL's on the indside interface of your PIX, But can you post your config (making sure that you hide all real IP's / Passwords etc), need to know which version IOS you have running on the PIX as well.
Thanks -
06-02-2003 12:31 PM
Here's my config, feel free to comment if u see any other issues, thanks for your help.
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
hostname XXXXXXXXX
domain-name XXXXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 205.238.220.17 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 205.238.220.19-205.238.220.22
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 205.238.220.18 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.2 255.255.255.255 inside
http 192.168.1.201 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXX
: end
06-02-2003 03:53 PM
Just use an ACL on your inside interface like so (this will stop .100 and .101 hosts from going out):
> access-list outbound deny ip host 192.168.1.100 any
> access-list outbound deny ip host 192.168.1.101 any
> access-list outbound permit ip 192.168.1.0 255.255.255.0 any
> access-group outbound in interface inside
Also, you might want tochange the following:
> global (outside) 1 205.238.220.19-205.238.220.22
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
to:
> global (outside) 1 205.238.220.19-205.238.220.21
> global (outside) 1 205.238.220.22
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
cause what you have will only allow 4 sessions outbound, which one user may use up going to one web page. The second version will PAT all other connections using the .22 address, which will give you an additional 65,000 or so connections outbound.
06-02-2003 11:43 PM
Hi Douglas -
Post from Glenn, should sort out your problem -
Good Luck -
06-03-2003 09:17 AM
Thanks for the info. The tip about changing the global config was timely as it cleared up another issue. Thanks again !
06-06-2003 07:07 AM
Just a slight clarification..
"will only allow 4 sessions outbound, which one user may use up going to one web page."
This statement isn't entirely true. When an inside user is assigned an address from the Global pool, they retain control of that address until the xlate times out. So even if they view 100 web pages each with multiple images per page, they will still only use the one IP Address that was initially assigned to them from the pool. If you have more than four unique internal IP Addresses accessing the Internet, then you will definately need the overflow global PAT statement.
Also, another quick way to deny a user access is by using the "shun" command.
ie: "shun 192.168.1.100" will stop that user from sending data through the PIX. The shun command can work for both inside and outside users. It was introduced as a tool to block attacks, but works just as well blocking internal users.
Cheers,
-Joshua
06-06-2003 12:08 PM
Thanks Joshua,
The overflow global PAT statement did in fact solve one of the problems. Is there a benefit to using acl vs the shun command ?
D Evans
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: