Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX problem

Hello guys,

I have a PIX 501 that 15 laptops are connected to (Internal interface). All laptops are going to a client's site over VPN and Internet. I have to block internet only on several machines (they dont need it, the rest needs it). I cannot block by IP because they are dynamically assigned and I can block a person that need Internet. I cannot block by MAC because there is no option in 501 to block MAC addresses. On the LAN sit only the laptops and the PIX internal interface. How about the idea to separate the LAN IP address range like this:

Instead of using /24 I can divide it on 2x/25. I can hard code the laptops that need interface with static IP/s, then I can edit the DHCP scope on the PIX to exclude the IP range assigned statically and finally block the Internet for DHCP IP addresses. For example if I have I can divide it on and If I use addresses from the first subnet I can block Internet for second one and vice versa.

Do you have an idea??

Thank you in advance,



Re: PIX problem

New Member

Re: PIX problem


I don't want to involve additional server (only the laptops and the PIX).

I just want a simple solution if any.

Is the way that I mentioned before possible in your opinion. This PIX is production device and I cannot play with it, that the reason I didn't try it directly on the device.

Thank you.