Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restricting access inside to outside

I would like to use the Pix 501 we have to restrict certain workstations from accesing the Internet. From what I have read in the Pix instructions, this should be achievable. But I am not having any luck doing it. I tried something like this:

access-list acl_in permit any any

access-list acl_in deny host 192.168.1.123 any eq www

access-group acl_in in interface inside

But the computer at 192.168.1.123 still had Internet access. Did I do something wrong? I will readily admit that deciphering the Pix firewall's commands has left me with a bit of a headache and I would not be surprised if I got it wrong.

Another question along similar lines -- Our entire network uses a Win2k server as their gateway to the Internet. The Win2k server then forwards the packets to the Firewall then to the router. Since the Win2k server is set to use PAT, is there going to be any way to use the PIX to restrict access since after the Win2k server all IP addresses will be the same due to the PAT translation? To use the firewall to restrict access, do all computers have to go out to the Internet directly through the firewall?

Thanks for any suggestions!

1 REPLY

Re: Restricting access inside to outside

Hi,

You should specify the specific 'deny' first before allowing all other general/common access. PIX read the ACL through a 'top-down' mode.

example:

access-list acl_in deny host 192.168.1.123 any eq www ----> put on to of the list

access-list acl_in permit ip any any

access-group acl_in in interface inside

As for the PAT and PIX as gateway for the clients, if you intend to use firewall to directly restrict access for all clients instead of the Win2k server, yes, it is possible and can give more control compared to the existing Win2k.

Using Win2k and PAT on PIX, you can only restrict internet/outbound access via ACL to one (1) IP which is the Win2k. For example, you can allow few access via service ports and deny all:

access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq 21

access-list acl_in permit tcp any any eq 23

access-list acl_in permit udp any any eq 53

access-list acl_in deny ip any any

access-group acl_in in interface inside

global (outside) 1 xx.xx.xx.xx

nat (inside) 1 192.168.1.10 255.255.255.255 --> Win2K IP

If you use Firewall, you can have more & flexible control, like using ACL and object-group to control access for multiple hosts/clients. In this case, all clients must use firewall as GW.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

Rgds,

AK

185
Views
0
Helpful
1
Replies