506E internet access

Hi friend,

Just setup the PIX506E for my company, the ASA rules work fine, all users can access the Internet through the Firewall.

But now how can I permit only few users to access the internet, by default the PIX allow all traffic access from the higer security interface to the lower security interface.

Can I use access-list to the inside interface to block all www traffic and only allow few IP to access the Internet, how ??

You would have to have access to your router. I work with Cisco routers mostly, so I don't know much about the generic types. I put what is called an access control list (ACL) on the router that would deny the use of http to a few users and permit everyone else.

Well that right from higher security to lower..by default everything is permitted

Now if you just need the web traffic for the outbound hen you need to apply access list on the inside

access-list <name> deny tcp any any eq 80

access-l <name> permit tcp host a.b.c.d any eq 80

access-l <name> permit tcp host a.b.c.d any eq 53

and then apply the access list on the inside

access-g <name> in interface inside

Note*---->the order of the access list should remain same

Se if that helps !!!!

Quite right, benzy. I just didn't feel like writing that out. Lol.

Thanks, it works, but the order of the access-list is wrong,
the access-list <name> deny tcp any any eq 80 should be after the permit tcp host ...

access-l <name> permit tcp host a.b.c.d any eq 80

access-l <name> permit tcp host a.b.c.d any eq 53

access-list <name> deny tcp any any eq 80

access-list <name> permit ip any any

and then apply the access list on the inside

access-g <name> in interface inside

Glad it worked out for you. I love to see ACLs at work, especially when they work as you planned.