Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Block Access To Internet But Allow Internal Access

Block Access To Internet But Allow Internal Access 6 years 5 months ago #34397

  • apit
  • apit's Avatar
  • Offline
  • Senior Member
  • Posts: 227
  • Karma: 0
Hi..
I want to block internet access at my computer lab but allow internal access. Currently our campus network using vlan for every department and lab..

My computer lab have our own vlan using ip range 172.16.10.0/24... Our layer 3 switch using cisco 6500 series and for firewall using ASA..

Please advice guys..

Tq
The administrator has disabled public write access.

... 6 years 5 months ago #34400

  • Arani
  • Arani's Avatar
  • Offline
  • Moderator
  • Posts: 745
  • Thank you received: 10
  • Karma: 4
Hi,
If you can identify which outgoing interface is used by any incoming connection to go out to the internet, you can setup an access list to deny anyone using the interface. The key however is to correctly identify which switch and particularly which interface on that switch is the last pitstop for all internet based data.
This is one way of doing things.
Picking pebbles on the shore of the networking ocean
The administrator has disabled public write access.

Re: Block Access To Internet But Allow Internal Access 6 years 4 months ago #34403

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
As Arani mentioned, you could possibly configure an access list on your ASA to block all but internal traffic (i.e your campus network IP range). Apply the access list on the internal interface of the ASA (which I'm I assuming is connected to your switch which connects to your PCs).

But if you want the PCs only to access the lab network and nothing else, you could simply physically disconnect the uplink from the switch/ASA.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Block Access To Internet But Allow Internal Access 6 years 4 months ago #34404

  • apit
  • apit's Avatar
  • Offline
  • Senior Member
  • Posts: 227
  • Karma: 0
our network looks like :

2900(lab switch)
3500(distribution)
65000(core)----ASA(Fw)

All the routing is handle by core switch using static route. Do i have to apply ACL at the firewall level or Core level?

Currently we still allow lab user to use internal application which is located at server farm (server farm switch connect to the core).
The administrator has disabled public write access.

core switch 6 years 4 months ago #34407

  • Arani
  • Arani's Avatar
  • Offline
  • Moderator
  • Posts: 745
  • Thank you received: 10
  • Karma: 4
I would suggest you put the access list on the core switch's outbound link which goes to the firewall, and not on the firewall itself. That way you prevent the switch from unnecessary forwarding data towards the firewall where the packets would be dropped either way (i.e all data meant for the internet.)
That way you retain the physical integrity of the links but also get to implement the internet access ban on all pc's on the intranet.
Picking pebbles on the shore of the networking ocean
The administrator has disabled public write access.

... 6 years 4 months ago #34408

  • Arani
  • Arani's Avatar
  • Offline
  • Moderator
  • Posts: 745
  • Thank you received: 10
  • Karma: 4
Or for that matter, why don't you get you firewall to drop all packets whose destination address is set as your internet gateway
Picking pebbles on the shore of the networking ocean
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.087 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup