?
Solved

Block Internet to a Range of Addresses

Posted on 2006-04-10
3
Medium Priority
?
215 Views
Last Modified: 2010-03-19
I have found other questions on how to block Internet access on a PIX firewall.  It is pretty simple with the use of Access-Lists.  My question has to do with blocking a range of addresses.  If I wanted to just give 192.168.3.1 through 192.168.3.20 access to Internet, but block all other addresses, how would I enter the range.
0
Comment
Question by:Javier196
3 Comments
 
LVL 10

Accepted Solution

by:
naveedb earned 750 total points
ID: 16422796
In your acl; allow 192.168.3.1 / 255.255.255.240 192.168.1.16 / 255.255.255.252 and then just 192.168.3.20 / 255.255.255.255

You can then apply this acl to your nat 1 command.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16425254
...192.168.3.16 255.255.255.252 ...
0
 
LVL 1

Author Comment

by:Javier196
ID: 16731254
OK, lets start over.

I have a WAN.  I have a PIX 515 on my side, and a PIX 501 at the remote site.  I am on a T1, the remote is on an E1.  I have set up a gateway VPN between these sites.  I also have a few static mapping to a few servers on the remote PIX for puclic access to remote servers.  All works fine.

I need to block Port 80 for all but a few users at the remote site.  I cannot seem to block Port 80 without affecting the remote's sites access to my LAN.  I assume I have to apply the deny for www to the inside interface:

access-list deny_www deny tcp any any eq 80
then
access-group deny_www in interface inside

Correct?

If  run this access-group command, I lose my other acccess lists
Here is my config.
access-list nat_avoid permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nat_avoid permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list public_access_in permit tcp any host 201.147.129.147 eq 3389
access-list deny_www deny tcp any any eq www
.
.
ip address outside 201.147.x.x 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
.
.
global (outside) 1 interface
nat (inside) 0 access-list nat_avoid
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 201.147.129.147 Server02 netmask 255.255.255.255 0 0
static (inside,outside) 201.147.x.x 192.168.3.25 netmask 255.255.255.255 0 0
static (inside,outside) 201.147.x.x 192.168.3.250 netmask 255.255.255.255 0 0
access-group public_access_in in interface outside
access-group deny_www in interface inside

I don't know if having the two access-group commands is a problem.  I got the "in interface inside" from a Cisco website, but if I run that access-group, I lose my other access-group mappings.

Again, i want to block all but a few IP addresses at the remote site.  I will even map each of them, but I cannot seem to block www without affecting my previous config.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question