My pix is up and internet is fine , but i need only One IP addesss x.x.x.1 to access internet rest other denied, and x.x.x.1 will have ISA server from where i will permit particular users to browse internet , Am using NAT/PAT on PIX , what will be my access-list , coz if i remove from NAT from PIX this will stop the whole internet and email access... Can any one let me know this
i tried this but no success
access-list 111 permit tcp 10.x.x.1 255.255.255.255 any eq www
That access list is probably blocking the ISA server from being able to make UDP based DNS requests to resolve hostnames to IP addresses. Assuming your dns servers are outside of the PIX, adding this line should allow dns to work
access-list 111 permit udp 10.x.x.1 255.255.255.255 any eq dns
I presume what you are saying is that you want all internet connections to go via your ISA server, correct? If so then do the following:
access-list permit tcp host any eq www
access-list deny tcp any any eq www
access-list permit ip any any
access-group in interface inside
Now makesure to save with cmd write memory and also clear translations with cmd clear xlate.
Write you access-list on a notepad first (as above) and then issue a no access-list as the first line, this way when you paste back onto the PIX you'll get a clean config for the access-list mentioned i.e.
From the outside in, everything is blocked on a pix, so long as it is not part of a connection originated in the outbound direction from the inside interface. Your access list 100 is applied to the outside interface - it will allow some icmp traffic thru, and it will allow people on the internet to access the http port of host x.x.x.x. Is x.x.x.x a web server?
Right now, you have nothing blocking any internal machines from making outbound connections. All internal machines should be able to do just about anything they want. With the above configuration, what does not work?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :