- Posts: 22
- Thank you received: 0
506E internet access
19 years 1 month ago #10866
by pp1dt
506E internet access was created by pp1dt
Hi friend,
Just setup the PIX506E for my company, the ASA rules work fine, all users can access the Internet through the Firewall.
But now how can I permit only few users to access the internet, by default the PIX allow all traffic access from the higer security interface to the lower security interface.
Can I use access-list to the inside interface to block all www traffic and only allow few IP to access the Internet, how ??
Just setup the PIX506E for my company, the ASA rules work fine, all users can access the Internet through the Firewall.
But now how can I permit only few users to access the internet, by default the PIX allow all traffic access from the higer security interface to the lower security interface.
Can I use access-list to the inside interface to block all www traffic and only allow few IP to access the Internet, how ??
19 years 1 month ago #10868
by RedRanger
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
Replied by RedRanger on topic Re: 506E internet access
You would have to have access to your router. I work with Cisco routers mostly, so I don't know much about the generic types. I put what is called an access control list (ACL) on the router that would deny the use of http to a few users and permit everyone else.
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
19 years 1 month ago #10876
by benzy
Replied by benzy on topic 506 internet
Well that right from higher security to lower..by default everything is permitted
Now if you just need the web traffic for the outbound hen you need to apply access list on the inside
access-list <name> deny tcp any any eq 80
access-l <name> permit tcp host a.b.c.d any eq 80
access-l <name> permit tcp host a.b.c.d any eq 53
and then apply the access list on the inside
access-g <name> in interface inside
Note*---->the order of the access list should remain same
Se if that helps !!!!
Now if you just need the web traffic for the outbound hen you need to apply access list on the inside
access-list <name> deny tcp any any eq 80
access-l <name> permit tcp host a.b.c.d any eq 80
access-l <name> permit tcp host a.b.c.d any eq 53
and then apply the access list on the inside
access-g <name> in interface inside
Note*---->the order of the access list should remain same
Se if that helps !!!!
19 years 1 month ago #10877
by RedRanger
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
Replied by RedRanger on topic Re: 506E internet access
Quite right, benzy. I just didn't feel like writing that out. Lol.
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
19 years 1 month ago #10887
by pp1dt
Replied by pp1dt on topic It works, thanks.
Thanks, it works, but the order of the access-list is wrong,
the access-list <name> deny tcp any any eq 80 should be after the permit tcp host ...
access-l <name> permit tcp host a.b.c.d any eq 80
access-l <name> permit tcp host a.b.c.d any eq 53
access-list <name> deny tcp any any eq 80
access-list <name> permit ip any any
and then apply the access list on the inside
access-g <name> in interface inside
the access-list <name> deny tcp any any eq 80 should be after the permit tcp host ...
access-l <name> permit tcp host a.b.c.d any eq 80
access-l <name> permit tcp host a.b.c.d any eq 53
access-list <name> deny tcp any any eq 80
access-list <name> permit ip any any
and then apply the access list on the inside
access-g <name> in interface inside
19 years 1 month ago #10890
by RedRanger
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
Replied by RedRanger on topic Re: 506E internet access
Glad it worked out for you. I love to see ACLs at work, especially when they work as you planned.
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
Time to create page: 0.128 seconds