Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
1
Replies

Restricting access inside to outside

ssutton503
Level 1
Level 1

‎08-01-2006 12:19 PM - edited ‎03-09-2019 03:47 PM

I would like to use the Pix 501 we have to restrict certain workstations from accesing the Internet. From what I have read in the Pix instructions, this should be achievable. But I am not having any luck doing it. I tried something like this:

access-list acl_in permit any any

access-list acl_in deny host 192.168.1.123 any eq www

access-group acl_in in interface inside

But the computer at 192.168.1.123 still had Internet access. Did I do something wrong? I will readily admit that deciphering the Pix firewall's commands has left me with a bit of a headache and I would not be surprised if I got it wrong.

Another question along similar lines -- Our entire network uses a Win2k server as their gateway to the Internet. The Win2k server then forwards the packets to the Firewall then to the router. Since the Win2k server is set to use PAT, is there going to be any way to use the PIX to restrict access since after the Win2k server all IP addresses will be the same due to the PAT translation? To use the firewall to restrict access, do all computers have to go out to the Internet directly through the firewall?

Thanks for any suggestions!

Labels:
0 Helpful
1 Reply 1

a.kiprawih
Level 7
Level 7

‎08-01-2006 12:39 PM

Hi,

You should specify the specific 'deny' first before allowing all other general/common access. PIX read the ACL through a 'top-down' mode.

example:

access-list acl_in deny host 192.168.1.123 any eq www ----> put on to of the list

access-list acl_in permit ip any any

access-group acl_in in interface inside

As for the PAT and PIX as gateway for the clients, if you intend to use firewall to directly restrict access for all clients instead of the Win2k server, yes, it is possible and can give more control compared to the existing Win2k.

Using Win2k and PAT on PIX, you can only restrict internet/outbound access via ACL to one (1) IP which is the Win2k. For example, you can allow few access via service ports and deny all:

access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq 21

access-list acl_in permit tcp any any eq 23

access-list acl_in permit udp any any eq 53

access-list acl_in deny ip any any

access-group acl_in in interface inside

global (outside) 1 xx.xx.xx.xx

nat (inside) 1 192.168.1.10 255.255.255.255 --> Win2K IP

If you use Firewall, you can have more & flexible control, like using ACL and object-group to control access for multiple hosts/clients. In this case, all clients must use firewall as GW.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents