Solved

Denying internet traffic, while still allowing intranet traffic via PIX firewall ACL

Posted on 2006-07-21
7
294 Views
Last Modified: 2013-11-16
Ok, so I have some computers I want to deny access to the internet.  The way I want to do this is assign them IP addresses of 172.16.30.X and have the firewall deny all outbound internet traffic, even just port 80 would do, from these ip's.
Is there  a way to do this?
thanks,
0
Comment
Question by:corphealth
7 Comments
 

Author Comment

by:corphealth
ID: 17153851
oh yeah, this is PIX515E running 61(4)
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17153956
a few options:

1. remove default gateway entry from the PCs (only an admin could add it back)
(denies access from PC to anything outside local network/subnet)

2. access-list inside_access_out deny ip 172.16.30.0 255.255.255.0
(denies access from anything within the 172.16.30.x subnet to outside)

3. access-list inside_access_out deny ip 172.16.30.2 255.255.255.255
(denies the specific IP access to anything outside)

4. access list inside_access_out extended deny tcp 172.16.30.0 255.255.255.0 eq www
(denies port 80/www from anything within the 172.16.30.x subnet to outside)

5. access list inside_access_out extended deny tcp 172.16.30.2 255.255.255.255 eq www
(denies port 80/www from the specific IP to anything outside)

Please not your access lists may be named differently, so please keep in mind you may have to edit "inside_access_out" to your specific outbound access list name.

Thanks!

Justin
0
 

Author Comment

by:corphealth
ID: 17154058
I removed the default gateway, but then it wouldn't get to the internal sites, like sharepoint, etc
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17154169
corphealth-

It would get to anything WITHIN it's own subnet (172.16.30.x) but if you have other internal subnets they would not be reachable, UNLESS you add routes locally into the PCs in question for the network you want them to get to.  This is a workable solution for a few clients.

from windows command line:

ROUTE ADD 172.16.40.0 MASK 255.255.255.0 172.16.30.1


Here is the windows help on the topic: You don't NEED the items after the gateway IP address

> route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
           destination^      ^mask      ^gateway     metric^    ^
                                                         Interface^
Thanks!

Justin
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17154676
Do not go that way, modify the access-list on the firewall and done.

Cheers,
Rajesh
0
 

Author Comment

by:corphealth
ID: 17155781
Ok, I tried those in ACL, did i need to interface with a serial to ad those?
i was at config# and it just wouldn't add any. wierd.
I got a temp solution, by using a .rat file from microsoft and enabling content advisor, it will only let her go to site that I allow.
I still need to learn how to add/remove ACL rules though.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17156814
pix#config term
pix(config)#access-list restrict_outbound deny ip host 172.16.30.x any <== add for each host you want to deny
pix(config)#access-list restrict_outbound permit ip any any   <== allow everything else [important]
pix(config)#access-group restrict_outbound in interface inside  <== apply it to the interface
pix(config)#exit
pix#write mem


0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Watchguard Firewall monitoring 1 630
Best firewall recommendation 12 184
Network Activities  please help 16 76
Remote Desktop Encryption error at the client 1 44
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now