Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: 506E internet access

506E internet access 11 years 1 month ago #10866

  • pp1dt
  • pp1dt's Avatar
  • Offline
  • Frequent Member
  • Posts: 22
  • Karma: 0
Hi friend,

Just setup the PIX506E for my company, the ASA rules work fine, all users can access the Internet through the Firewall.

But now how can I permit only few users to access the internet, by default the PIX allow all traffic access from the higer security interface to the lower security interface.

Can I use access-list to the inside interface to block all www traffic and only allow few IP to access the Internet, how ??
The administrator has disabled public write access.

Re: 506E internet access 11 years 1 month ago #10868

  • RedRanger
  • RedRanger's Avatar
  • Offline
  • Distinguished Member
  • Be Awesome
  • Posts: 136
  • Karma: 0
You would have to have access to your router. I work with Cisco routers mostly, so I don't know much about the generic types. I put what is called an access control list (ACL) on the router that would deny the use of http to a few users and permit everyone else.
RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
The administrator has disabled public write access.

506 internet 11 years 1 month ago #10876

  • benzy
  • benzy's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Well that right from higher security to lower..by default everything is permitted

Now if you just need the web traffic for the outbound hen you need to apply access list on the inside

access-list <name> deny tcp any any eq 80

access-l <name> permit tcp host a.b.c.d any eq 80

access-l <name> permit tcp host a.b.c.d any eq 53

and then apply the access list on the inside

access-g <name> in interface inside

Note*---->the order of the access list should remain same

Se if that helps !!!! ;-)
The administrator has disabled public write access.

Re: 506E internet access 11 years 1 month ago #10877

  • RedRanger
  • RedRanger's Avatar
  • Offline
  • Distinguished Member
  • Be Awesome
  • Posts: 136
  • Karma: 0
Quite right, benzy. I just didn't feel like writing that out. Lol.
RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
The administrator has disabled public write access.

It works, thanks. 11 years 1 month ago #10887

  • pp1dt
  • pp1dt's Avatar
  • Offline
  • Frequent Member
  • Posts: 22
  • Karma: 0
Thanks, it works, but the order of the access-list is wrong,
the access-list <name> deny tcp any any eq 80 should be after the permit tcp host ...

access-l <name> permit tcp host a.b.c.d any eq 80

access-l <name> permit tcp host a.b.c.d any eq 53

access-list <name> deny tcp any any eq 80

access-list <name> permit ip any any

and then apply the access list on the inside

access-g <name> in interface inside
The administrator has disabled public write access.

Re: 506E internet access 11 years 1 month ago #10890

  • RedRanger
  • RedRanger's Avatar
  • Offline
  • Distinguished Member
  • Be Awesome
  • Posts: 136
  • Karma: 0
Glad it worked out for you. I love to see ACLs at work, especially when they work as you planned.
RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
The administrator has disabled public write access.
Time to create page: 0.080 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup