Solved

Denying internet traffic, while still allowing intranet traffic via PIX firewall ACL

Posted on 2006-07-21
7
301 Views
Last Modified: 2013-11-16
Ok, so I have some computers I want to deny access to the internet.  The way I want to do this is assign them IP addresses of 172.16.30.X and have the firewall deny all outbound internet traffic, even just port 80 would do, from these ip's.
Is there  a way to do this?
thanks,
0
Comment
Question by:corphealth
7 Comments
 

Author Comment

by:corphealth
ID: 17153851
oh yeah, this is PIX515E running 61(4)
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17153956
a few options:

1. remove default gateway entry from the PCs (only an admin could add it back)
(denies access from PC to anything outside local network/subnet)

2. access-list inside_access_out deny ip 172.16.30.0 255.255.255.0
(denies access from anything within the 172.16.30.x subnet to outside)

3. access-list inside_access_out deny ip 172.16.30.2 255.255.255.255
(denies the specific IP access to anything outside)

4. access list inside_access_out extended deny tcp 172.16.30.0 255.255.255.0 eq www
(denies port 80/www from anything within the 172.16.30.x subnet to outside)

5. access list inside_access_out extended deny tcp 172.16.30.2 255.255.255.255 eq www
(denies port 80/www from the specific IP to anything outside)

Please not your access lists may be named differently, so please keep in mind you may have to edit "inside_access_out" to your specific outbound access list name.

Thanks!

Justin
0
 

Author Comment

by:corphealth
ID: 17154058
I removed the default gateway, but then it wouldn't get to the internal sites, like sharepoint, etc
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17154169
corphealth-

It would get to anything WITHIN it's own subnet (172.16.30.x) but if you have other internal subnets they would not be reachable, UNLESS you add routes locally into the PCs in question for the network you want them to get to.  This is a workable solution for a few clients.

from windows command line:

ROUTE ADD 172.16.40.0 MASK 255.255.255.0 172.16.30.1


Here is the windows help on the topic: You don't NEED the items after the gateway IP address

> route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
           destination^      ^mask      ^gateway     metric^    ^
                                                         Interface^
Thanks!

Justin
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17154676
Do not go that way, modify the access-list on the firewall and done.

Cheers,
Rajesh
0
 

Author Comment

by:corphealth
ID: 17155781
Ok, I tried those in ACL, did i need to interface with a serial to ad those?
i was at config# and it just wouldn't add any. wierd.
I got a temp solution, by using a .rat file from microsoft and enabling content advisor, it will only let her go to site that I allow.
I still need to learn how to add/remove ACL rules though.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17156814
pix#config term
pix(config)#access-list restrict_outbound deny ip host 172.16.30.x any <== add for each host you want to deny
pix(config)#access-list restrict_outbound permit ip any any   <== allow everything else [important]
pix(config)#access-group restrict_outbound in interface inside  <== apply it to the interface
pix(config)#exit
pix#write mem


0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SONICWALL tz100 PASS THROUGHT TO SBS 2 60
Sonicwall NSA failover & LB 4 58
Sonicwall Traffic 17 100
Need a command to show the firewall rules for port 3389 8 62
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question