kaifong78
asked on
Block MSN for all users, but allow 3 users, how to implement on CISCO PIX 506E
In my Office, we are using CISCO PIX 506E,
all office users are in the LAN of 192.168.8.0 /24
network.
I want to block all users from using MSN from internet,
but allow my 3 managers to use MSN.
3 of them, their IP addresses are :-
192.168.8.26 /24
192.168.8.42 /24
192.168.8.57 /24
How am I going to implement this on my PIX506E?
Can anyone write me the syntax.
Thanks for the help.
all office users are in the LAN of 192.168.8.0 /24
network.
I want to block all users from using MSN from internet,
but allow my 3 managers to use MSN.
3 of them, their IP addresses are :-
192.168.8.26 /24
192.168.8.42 /24
192.168.8.57 /24
How am I going to implement this on my PIX506E?
Can anyone write me the syntax.
Thanks for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Probably the most secure way to do this is to only allow traffic for specific services into the firewall from the internal network. So, depending on your company policy, you would only allow users to access services you have deemed as acceptable. Port 80, for www, port 443, for ssl encrypted sites, port 25 for smtp , port 110 for pop3, etc.
So you would create an access list like that below that has the specific allowances for the network hosts.
access-list inside_access_in permit tcp any any eq pop3
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in permit tcp host 192.168.8.26 any eq 1863
access-list inside_access_in permit tcp host 192.168.8.42 any eq 1863
access-list inside_access_in permit tcp host 192.168.8.57 any eq 1863
acces-list inside_access_in deny tcp any any
Don't just copy the above access list into your firewall config. You'll have to make sure that it has the correct access-list name and that all of the services you need are listed. So, you'll need to do a little research and come up with a plan to implement an access list.
Hope this helps,
Rod
So you would create an access list like that below that has the specific allowances for the network hosts.
access-list inside_access_in permit tcp any any eq pop3
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in permit tcp host 192.168.8.26 any eq 1863
access-list inside_access_in permit tcp host 192.168.8.42 any eq 1863
access-list inside_access_in permit tcp host 192.168.8.57 any eq 1863
acces-list inside_access_in deny tcp any any
Don't just copy the above access list into your firewall config. You'll have to make sure that it has the correct access-list name and that all of the services you need are listed. So, you'll need to do a little research and come up with a plan to implement an access list.
Hope this helps,
Rod
bytta's comment should not be accepted. It did not address the question at all on how to create a custom solution specifically to this situation. I'm sure the EE search function works just fine for the asker, too.
>Can anyone write me the syntax.
bytta did not provide the syntax.
>Can anyone write me the syntax.
bytta did not provide the syntax.
https://www.experts-exchange.com/questions/20248766/Blocking-Yahoo-and-MSN-Messenger-in-CISCO-2621-Router.html
https://www.experts-exchange.com/questions/20843109/Capture-command-on-CISCO-PIX-firewall-how-to-find-out-what-MSN-messenger-servers-are-being-connected-to.html
https://www.experts-exchange.com/questions/21191603/BLOCK-MSN-MESSENGER.html