Block Internet to a Range of Addresses

Posted on 2006-04-10
Last Modified: 2010-03-19
I have found other questions on how to block Internet access on a PIX firewall.  It is pretty simple with the use of Access-Lists.  My question has to do with blocking a range of addresses.  If I wanted to just give through access to Internet, but block all other addresses, how would I enter the range.
Question by:Javier196
    LVL 10

    Accepted Solution

    In your acl; allow / / and then just /

    You can then apply this acl to your nat 1 command.
    LVL 27

    Expert Comment

    ... ...
    LVL 1

    Author Comment

    OK, lets start over.

    I have a WAN.  I have a PIX 515 on my side, and a PIX 501 at the remote site.  I am on a T1, the remote is on an E1.  I have set up a gateway VPN between these sites.  I also have a few static mapping to a few servers on the remote PIX for puclic access to remote servers.  All works fine.

    I need to block Port 80 for all but a few users at the remote site.  I cannot seem to block Port 80 without affecting the remote's sites access to my LAN.  I assume I have to apply the deny for www to the inside interface:

    access-list deny_www deny tcp any any eq 80
    access-group deny_www in interface inside


    If  run this access-group command, I lose my other acccess lists
    Here is my config.
    access-list nat_avoid permit ip
    access-list nat_avoid permit ip
    access-list public_access_in permit tcp any host eq 3389
    access-list deny_www deny tcp any any eq www
    ip address outside 201.147.x.x
    ip address inside
    global (outside) 1 interface
    nat (inside) 0 access-list nat_avoid
    nat (inside) 1 0 0
    static (inside,outside) Server02 netmask 0 0
    static (inside,outside) 201.147.x.x netmask 0 0
    static (inside,outside) 201.147.x.x netmask 0 0
    access-group public_access_in in interface outside
    access-group deny_www in interface inside

    I don't know if having the two access-group commands is a problem.  I got the "in interface inside" from a Cisco website, but if I run that access-group, I lose my other access-group mappings.

    Again, i want to block all but a few IP addresses at the remote site.  I will even map each of them, but I cannot seem to block www without affecting my previous config.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Dyndns Configuration 3 35
    New modem? 4 45
    2 websites hosted on premise 6 28
    Cat6A Cabeling 3 22
    Let’s list some of the technologies that enable smooth teleworking. 
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now