I have a PIX 501 that 15 laptops are connected to (Internal interface). All laptops are going to a client's site over VPN and Internet. I have to block internet only on several machines (they dont need it, the rest needs it). I cannot block by IP because they are dynamically assigned and I can block a person that need Internet. I cannot block by MAC because there is no option in 501 to block MAC addresses. On the LAN sit only the laptops and the PIX internal interface. How about the idea to separate the LAN IP address range like this:
Instead of using /24 I can divide it on 2x/25. I can hard code the laptops that need interface with static IP/s, then I can edit the DHCP scope on the PIX to exclude the IP range assigned statically and finally block the Internet for DHCP IP addresses. For example if I have 192.168.1.0/24 I can divide it on 192.168.1.0/25 and 192.168.1.128/25. If I use addresses from the first subnet I can block Internet for second one and vice versa.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...