Solved: Denying selected inside address to access internet

DOUGLAS EVANS · ‎06-02-2003

What is the best way to deny selected inside IP addresses (user PCs) access to the internet router in a PIX 506 ? Thank you

devans

gfullage · ‎06-02-2003

Just use an ACL on your inside interface like so (this will stop .100 and .101 hosts from going out):

> access-list outbound deny ip host 192.168.1.100 any

> access-list outbound deny ip host 192.168.1.101 any

> access-list outbound permit ip 192.168.1.0 255.255.255.0 any

> access-group outbound in interface inside

Also, you might want tochange the following:

> global (outside) 1 205.238.220.19-205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

to:

> global (outside) 1 205.238.220.19-205.238.220.21

> global (outside) 1 205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

cause what you have will only allow 4 sessions outbound, which one user may use up going to one web page. The second version will PAT all other connections using the .22 address, which will give you an additional 65,000 or so connections outbound.

View solution in original post

jmia · ‎06-02-2003

Hi Douglas -

You can use ACL's on the indside interface of your PIX, But can you post your config (making sure that you hide all real IP's / Passwords etc), need to know which version IOS you have running on the PIX as well.

Thanks -

DOUGLAS EVANS · ‎06-02-2003

Here's my config, feel free to comment if u see any other issues, thanks for your help.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXX encrypted

passwd XXXXXXXXXX encrypted

hostname XXXXXXXXX

domain-name XXXXXXXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 205.238.220.17 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 192.168.1.201 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 205.238.220.19-205.238.220.22

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 205.238.220.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.2 255.255.255.255 inside

http 192.168.1.201 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:XXXXXXXXXXXXXXXXXX

: end

gfullage · ‎06-02-2003

Just use an ACL on your inside interface like so (this will stop .100 and .101 hosts from going out):

> access-list outbound deny ip host 192.168.1.100 any

> access-list outbound deny ip host 192.168.1.101 any

> access-list outbound permit ip 192.168.1.0 255.255.255.0 any

> access-group outbound in interface inside

Also, you might want tochange the following:

> global (outside) 1 205.238.220.19-205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

to:

> global (outside) 1 205.238.220.19-205.238.220.21

> global (outside) 1 205.238.220.22

> nat (inside) 1 0.0.0.0 0.0.0.0 0 0

cause what you have will only allow 4 sessions outbound, which one user may use up going to one web page. The second version will PAT all other connections using the .22 address, which will give you an additional 65,000 or so connections outbound.

jmia · ‎06-02-2003

Hi Douglas -

Post from Glenn, should sort out your problem -

Good Luck -

DOUGLAS EVANS · ‎06-03-2003

Thanks for the info. The tip about changing the global config was timely as it cleared up another issue. Thanks again !

dro · ‎06-06-2003

Just a slight clarification..

"will only allow 4 sessions outbound, which one user may use up going to one web page."

This statement isn't entirely true. When an inside user is assigned an address from the Global pool, they retain control of that address until the xlate times out. So even if they view 100 web pages each with multiple images per page, they will still only use the one IP Address that was initially assigned to them from the pool. If you have more than four unique internal IP Addresses accessing the Internet, then you will definately need the overflow global PAT statement.

Also, another quick way to deny a user access is by using the "shun" command.

ie: "shun 192.168.1.100" will stop that user from sending data through the PIX. The shun command can work for both inside and outside users. It was introduced as a tool to block attacks, but works just as well blocking internal users.

Cheers,

-Joshua

DOUGLAS EVANS · ‎06-06-2003

Thanks Joshua,

The overflow global PAT statement did in fact solve one of the problems. Is there a benefit to using acl vs the shun command ?

D Evans