Skip to main content

Block Access To Internet But Allow Internal Access

More
14 years 6 months ago #34397 by apit
Hi..
I want to block internet access at my computer lab but allow internal access. Currently our campus network using vlan for every department and lab..

My computer lab have our own vlan using ip range 172.16.10.0/24... Our layer 3 switch using cisco 6500 series and for firewall using ASA..

Please advice guys..

Tq
More
14 years 6 months ago #34400 by Arani
Replied by Arani on topic ...
Hi,
If you can identify which outgoing interface is used by any incoming connection to go out to the internet, you can setup an access list to deny anyone using the interface. The key however is to correctly identify which switch and particularly which interface on that switch is the last pitstop for all internet based data.
This is one way of doing things.

Picking pebbles on the shore of the networking ocean
More
14 years 6 months ago #34403 by S0lo
As Arani mentioned, you could possibly configure an access list on your ASA to block all but internal traffic (i.e your campus network IP range). Apply the access list on the internal interface of the ASA (which I'm I assuming is connected to your switch which connects to your PCs).

But if you want the PCs only to access the lab network and nothing else, you could simply physically disconnect the uplink from the switch/ASA.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 6 months ago #34404 by apit
our network looks like :

2900(lab switch)
3500(distribution)
65000(core)----ASA(Fw)

All the routing is handle by core switch using static route. Do i have to apply ACL at the firewall level or Core level?

Currently we still allow lab user to use internal application which is located at server farm (server farm switch connect to the core).
More
14 years 6 months ago #34407 by Arani
Replied by Arani on topic core switch
I would suggest you put the access list on the core switch's outbound link which goes to the firewall, and not on the firewall itself. That way you prevent the switch from unnecessary forwarding data towards the firewall where the packets would be dropped either way (i.e all data meant for the internet.)
That way you retain the physical integrity of the links but also get to implement the internet access ban on all pc's on the intranet.

Picking pebbles on the shore of the networking ocean
More
14 years 6 months ago #34408 by Arani
Replied by Arani on topic ...
Or for that matter, why don't you get you firewall to drop all packets whose destination address is set as your internet gateway

Picking pebbles on the shore of the networking ocean
Time to create page: 0.132 seconds