Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Preventing specific static IP addresses from getting to specific web sites?

We use a PIX 505E firewall to connect to the Internet. All of our PC's have static ip addresses assigned to them. How can I prevent a single PC with the address (ie. 1.2.3.4) from connecting to a specific web site on the Internet with an address of (ie. 9.8.7.6)?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Preventing specific static IP addresses from getting to spec

Here's a quick crack at it based on my understanding of what you're looking for:

access-list outbound deny tcp host 1.2.3.4 host 9.8.7.6 eq www

access-list outbound permit ip any any

access-group outbound in interface inside

This is an access list written to the inside interface. Your first entry prevents your internal host from connecting to the external webserver on TCP port 80. The second line is required to permit all other IP traffic outbound. The second line becomes a requirement when you put an access-list on the inside interface.

The access-group command binds the access list "outside" to the inside interface.

Hope this helps.

Chad

2 REPLIES
Bronze

Re: Preventing specific static IP addresses from getting to spec

Using a pix alone you cannot do URL filtering you need Web sense to do it.

New Member

Re: Preventing specific static IP addresses from getting to spec

Here's a quick crack at it based on my understanding of what you're looking for:

access-list outbound deny tcp host 1.2.3.4 host 9.8.7.6 eq www

access-list outbound permit ip any any

access-group outbound in interface inside

This is an access list written to the inside interface. Your first entry prevents your internal host from connecting to the external webserver on TCP port 80. The second line is required to permit all other IP traffic outbound. The second line becomes a requirement when you put an access-list on the inside interface.

The access-group command binds the access list "outside" to the inside interface.

Hope this helps.

Chad

90
Views
0
Helpful
2
Replies