Access-list question about filtering traffic
Posted on 2005-04-18
I am trying to prevent several computers from accessing the internet directly,namely their www traffic. We have a filter proxy Symantec Web Security and have their IE locked down to pass thru the proxy. Unfortunately they have decided to load Mozilla. They are smart enough to think about this, but still to ignorant and have downloaded keyboard loggers and other spyware to their machines. I have created the following:
object-group network FilteredPC
network-object host 192.168.1.101
network-object host 192.168.1.22
network-object host 192.168.1.24
network-object host 192.168.1.25
access-list inside_access_out deny ip any object-group FilteredPC
access-list inside_access_out permit ip any any
access-group inside_access_out in interface inside
I believed there was an implied deny after any permit and once an access list is hit, the system did not go on to any other rules.
What happens is that if the permit statement is not there, it works fine and does not allow them though the firewall, however neither can anyone else. So I put the permit in to allow the others, but then the systems in the filteredpc list also are permitted. What am I missing?
Any help is appreciated.
This is urgent as these people keep bypassing the filter and are placing the whole network in a vunerable state.