Access across different subnets

Posted on 2006-05-07
Last Modified: 2010-04-09
Hi. I have a Cisco PIX 515E Firewall, connecting 3 networks: outside, inside(security100) and marketing (security50).  All PCs in inside and marketing have Windows file and printer sharing enabled.   My questions are:

1. I want to prevent users at marketing from accessing resources at inside.  Is it by default the firewall blocks this?  If not, how to block?

2. In the future if I want certain marketing users from accessing some PCs in inside interface, what I need to do at the firewall?

Pls help.  Thank you.
Question by:hoggiee
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Typically, a business would have a domain and simply restrict access via NTFS permissions.
    LVL 20

    Expert Comment

    Agree w/ leew - if want to block by *user* & you have a Windows domain, then you'd do this by NTFS & user/group permissions.  However, if you want certain *workstations* (regardless of user) to access certain hosts on the inside network from marketing, see the example below.

    >1. I want to prevent users at marketing...
      Yes, by default the PIX blocks traffic originating from less trusted interfaces, in this case 'marketing' (which has a lower security level).  You have to explicitly allow access from less-trusted interfaces.

    >2. In the future if I want certain marketing users from accessing...
       If you want certain IPs from the marketing subnet to access certain PCs on the inside subnet...
      marketing subnet:
      inside subnet:
      Here, we'll allow the 2 marketing hosts & to access on the inside interface:

    static (inside,marketing) netmask
    access-list from_marketing permit ip host host
    access-list from_marketing permit ip host host
    access-list from_marketing deny ip any  <- block access to remainder of inside subnet
    access-list from_marketing permit ip any any   <-- allow marketing to get to elsewhere, such as Internet
    access-group from_marketing in interface marketing
    clear xlate


    Author Comment

    Thanks guys.  Additionally, can you guys explain in more details how to block the access with the NTFS or user/group permission?
    LVL 20

    Accepted Solution

    If you have a domain, the easiest way is to use security groups.  Simplified example:
    - create a "Marketing" security group
    - make all marketing staff members of the "Marketing" group
    - deny or permit access to certain network shares, printers, etc by permitting or denying access to the "Marketing" group via share & NTFS permissions.

    Some URLs to get you started:
      "How To Share Files and Folders Over a Network (Domain) in Windows 2000":;en-us;301198&sd=tech
      "How To Configure Security for Files and Folders on a Network (Domain) in Windows 2000":;en-us;301195&sd=tech

    If you need detailed help with share/NTFS permissions, it would be best to open a new question in either the Networking or Windows Security topic areas.

    LVL 95

    Assisted Solution

    by:Lee W, MVP
    NEVER DENY ACCESS!!!!! that causes more problems.... DENY overrides PERMIT.  Users have NO ACCESS to files UNLESS they are specifically permitted via group membership or user account being assigned to the resource.  There are only VERY VERY rare circumstances where you want to use DENY - I used to manage a domain of 1000+ users and I can't remember a single instance where I used DENY on permissions for a file share.
    LVL 20

    Expert Comment

    Agree w/ leew 100%!  Don't specifically deny access to users or groups by setting a "deny" permission on either folders or shares, no matter what Microsoft's documentation tells you! It only creates more headaches than it's worth.  
      Only allow what is needed (& don't leave the default "everyone" having "full control") - if you only allow access to those users/groups that need it, this has an implicit deny for everything else.  I've managed a lot of domains (& still do), & I've never set "deny" for permissions, only removed them from a client's domain that was setup by an inexperienced admin.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now