Skip to main content

506E internet access

More
19 years 1 month ago #10866 by pp1dt
506E internet access was created by pp1dt
Hi friend,

Just setup the PIX506E for my company, the ASA rules work fine, all users can access the Internet through the Firewall.

But now how can I permit only few users to access the internet, by default the PIX allow all traffic access from the higer security interface to the lower security interface.

Can I use access-list to the inside interface to block all www traffic and only allow few IP to access the Internet, how ??
More
19 years 1 month ago #10868 by RedRanger
Replied by RedRanger on topic Re: 506E internet access
You would have to have access to your router. I work with Cisco routers mostly, so I don't know much about the generic types. I put what is called an access control list (ACL) on the router that would deny the use of http to a few users and permit everyone else.

RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
More
19 years 1 month ago #10876 by benzy
Replied by benzy on topic 506 internet
Well that right from higher security to lower..by default everything is permitted

Now if you just need the web traffic for the outbound hen you need to apply access list on the inside

access-list <name> deny tcp any any eq 80

access-l <name> permit tcp host a.b.c.d any eq 80

access-l <name> permit tcp host a.b.c.d any eq 53

and then apply the access list on the inside

access-g <name> in interface inside

Note*---->the order of the access list should remain same

Se if that helps !!!! ;-)
More
19 years 1 month ago #10877 by RedRanger
Replied by RedRanger on topic Re: 506E internet access
Quite right, benzy. I just didn't feel like writing that out. Lol.

RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
More
19 years 1 month ago #10887 by pp1dt
Replied by pp1dt on topic It works, thanks.
Thanks, it works, but the order of the access-list is wrong,
the access-list <name> deny tcp any any eq 80 should be after the permit tcp host ...

access-l <name> permit tcp host a.b.c.d any eq 80

access-l <name> permit tcp host a.b.c.d any eq 53

access-list <name> deny tcp any any eq 80

access-list <name> permit ip any any

and then apply the access list on the inside

access-g <name> in interface inside
More
19 years 1 month ago #10890 by RedRanger
Replied by RedRanger on topic Re: 506E internet access
Glad it worked out for you. I love to see ACLs at work, especially when they work as you planned.

RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
Time to create page: 0.128 seconds