Block Internet to a Range of Addresses

I have found other questions on how to block Internet access on a PIX firewall.  It is pretty simple with the use of Access-Lists.  My question has to do with blocking a range of addresses.  If I wanted to just give 192.168.3.1 through 192.168.3.20 access to Internet, but block all other addresses, how would I enter the range.
LVL 1
Javier196Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

naveedbCommented:
In your acl; allow 192.168.3.1 / 255.255.255.240 192.168.1.16 / 255.255.255.252 and then just 192.168.3.20 / 255.255.255.255

You can then apply this acl to your nat 1 command.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pseudocyberCommented:
...192.168.3.16 255.255.255.252 ...
0
Javier196Author Commented:
OK, lets start over.

I have a WAN.  I have a PIX 515 on my side, and a PIX 501 at the remote site.  I am on a T1, the remote is on an E1.  I have set up a gateway VPN between these sites.  I also have a few static mapping to a few servers on the remote PIX for puclic access to remote servers.  All works fine.

I need to block Port 80 for all but a few users at the remote site.  I cannot seem to block Port 80 without affecting the remote's sites access to my LAN.  I assume I have to apply the deny for www to the inside interface:

access-list deny_www deny tcp any any eq 80
then
access-group deny_www in interface inside

Correct?

If  run this access-group command, I lose my other acccess lists
Here is my config.
access-list nat_avoid permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nat_avoid permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list public_access_in permit tcp any host 201.147.129.147 eq 3389
access-list deny_www deny tcp any any eq www
.
.
ip address outside 201.147.x.x 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
.
.
global (outside) 1 interface
nat (inside) 0 access-list nat_avoid
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 201.147.129.147 Server02 netmask 255.255.255.255 0 0
static (inside,outside) 201.147.x.x 192.168.3.25 netmask 255.255.255.255 0 0
static (inside,outside) 201.147.x.x 192.168.3.250 netmask 255.255.255.255 0 0
access-group public_access_in in interface outside
access-group deny_www in interface inside

I don't know if having the two access-group commands is a problem.  I got the "in interface inside" from a Cisco website, but if I run that access-group, I lose my other access-group mappings.

Again, i want to block all but a few IP addresses at the remote site.  I will even map each of them, but I cannot seem to block www without affecting my previous config.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.