Block Internet to a Range of Addresses

Posted on 2006-04-10
Medium Priority
Last Modified: 2010-03-19
I have found other questions on how to block Internet access on a PIX firewall.  It is pretty simple with the use of Access-Lists.  My question has to do with blocking a range of addresses.  If I wanted to just give through access to Internet, but block all other addresses, how would I enter the range.
Question by:Javier196
LVL 10

Accepted Solution

naveedb earned 750 total points
ID: 16422796
In your acl; allow / / and then just /

You can then apply this acl to your nat 1 command.
LVL 27

Expert Comment

ID: 16425254
... ...

Author Comment

ID: 16731254
OK, lets start over.

I have a WAN.  I have a PIX 515 on my side, and a PIX 501 at the remote site.  I am on a T1, the remote is on an E1.  I have set up a gateway VPN between these sites.  I also have a few static mapping to a few servers on the remote PIX for puclic access to remote servers.  All works fine.

I need to block Port 80 for all but a few users at the remote site.  I cannot seem to block Port 80 without affecting the remote's sites access to my LAN.  I assume I have to apply the deny for www to the inside interface:

access-list deny_www deny tcp any any eq 80
access-group deny_www in interface inside


If  run this access-group command, I lose my other acccess lists
Here is my config.
access-list nat_avoid permit ip
access-list nat_avoid permit ip
access-list public_access_in permit tcp any host eq 3389
access-list deny_www deny tcp any any eq www
ip address outside 201.147.x.x
ip address inside
global (outside) 1 interface
nat (inside) 0 access-list nat_avoid
nat (inside) 1 0 0
static (inside,outside) Server02 netmask 0 0
static (inside,outside) 201.147.x.x netmask 0 0
static (inside,outside) 201.147.x.x netmask 0 0
access-group public_access_in in interface outside
access-group deny_www in interface inside

I don't know if having the two access-group commands is a problem.  I got the "in interface inside" from a Cisco website, but if I run that access-group, I lose my other access-group mappings.

Again, i want to block all but a few IP addresses at the remote site.  I will even map each of them, but I cannot seem to block www without affecting my previous config.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question