- Posts: 227
- Thank you received: 0
Block Access To Internet But Allow Internal Access
14 years 6 months ago #34397
by apit
Block Access To Internet But Allow Internal Access was created by apit
Hi..
I want to block internet access at my computer lab but allow internal access. Currently our campus network using vlan for every department and lab..
My computer lab have our own vlan using ip range 172.16.10.0/24... Our layer 3 switch using cisco 6500 series and for firewall using ASA..
Please advice guys..
Tq
I want to block internet access at my computer lab but allow internal access. Currently our campus network using vlan for every department and lab..
My computer lab have our own vlan using ip range 172.16.10.0/24... Our layer 3 switch using cisco 6500 series and for firewall using ASA..
Please advice guys..
Tq
14 years 6 months ago #34400
by Arani
Picking pebbles on the shore of the networking ocean
Hi,
If you can identify which outgoing interface is used by any incoming connection to go out to the internet, you can setup an access list to deny anyone using the interface. The key however is to correctly identify which switch and particularly which interface on that switch is the last pitstop for all internet based data.
This is one way of doing things.
If you can identify which outgoing interface is used by any incoming connection to go out to the internet, you can setup an access list to deny anyone using the interface. The key however is to correctly identify which switch and particularly which interface on that switch is the last pitstop for all internet based data.
This is one way of doing things.
Picking pebbles on the shore of the networking ocean
14 years 6 months ago #34403
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Block Access To Internet But Allow Internal Access
As Arani mentioned, you could possibly configure an access list on your ASA to block all but internal traffic (i.e your campus network IP range). Apply the access list on the internal interface of the ASA (which I'm I assuming is connected to your switch which connects to your PCs).
But if you want the PCs only to access the lab network and nothing else, you could simply physically disconnect the uplink from the switch/ASA.
But if you want the PCs only to access the lab network and nothing else, you could simply physically disconnect the uplink from the switch/ASA.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
14 years 6 months ago #34404
by apit
Replied by apit on topic Re: Block Access To Internet But Allow Internal Access
our network looks like :
2900(lab switch)
3500(distribution)
65000(core)----ASA(Fw)
All the routing is handle by core switch using static route. Do i have to apply ACL at the firewall level or Core level?
Currently we still allow lab user to use internal application which is located at server farm (server farm switch connect to the core).
2900(lab switch)
3500(distribution)
65000(core)----ASA(Fw)
All the routing is handle by core switch using static route. Do i have to apply ACL at the firewall level or Core level?
Currently we still allow lab user to use internal application which is located at server farm (server farm switch connect to the core).
14 years 6 months ago #34407
by Arani
Picking pebbles on the shore of the networking ocean
Replied by Arani on topic core switch
I would suggest you put the access list on the core switch's outbound link which goes to the firewall, and not on the firewall itself. That way you prevent the switch from unnecessary forwarding data towards the firewall where the packets would be dropped either way (i.e all data meant for the internet.)
That way you retain the physical integrity of the links but also get to implement the internet access ban on all pc's on the intranet.
That way you retain the physical integrity of the links but also get to implement the internet access ban on all pc's on the intranet.
Picking pebbles on the shore of the networking ocean
Time to create page: 0.132 seconds