Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Denying internet traffic, while still allowing intranet traffic via PIX firewall ACL

Posted on 2006-07-21
7
Medium Priority
?
321 Views
Last Modified: 2013-11-16
Ok, so I have some computers I want to deny access to the internet.  The way I want to do this is assign them IP addresses of 172.16.30.X and have the firewall deny all outbound internet traffic, even just port 80 would do, from these ip's.
Is there  a way to do this?
thanks,
0
Comment
Question by:corphealth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 

Author Comment

by:corphealth
ID: 17153851
oh yeah, this is PIX515E running 61(4)
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17153956
a few options:

1. remove default gateway entry from the PCs (only an admin could add it back)
(denies access from PC to anything outside local network/subnet)

2. access-list inside_access_out deny ip 172.16.30.0 255.255.255.0
(denies access from anything within the 172.16.30.x subnet to outside)

3. access-list inside_access_out deny ip 172.16.30.2 255.255.255.255
(denies the specific IP access to anything outside)

4. access list inside_access_out extended deny tcp 172.16.30.0 255.255.255.0 eq www
(denies port 80/www from anything within the 172.16.30.x subnet to outside)

5. access list inside_access_out extended deny tcp 172.16.30.2 255.255.255.255 eq www
(denies port 80/www from the specific IP to anything outside)

Please not your access lists may be named differently, so please keep in mind you may have to edit "inside_access_out" to your specific outbound access list name.

Thanks!

Justin
0
 

Author Comment

by:corphealth
ID: 17154058
I removed the default gateway, but then it wouldn't get to the internal sites, like sharepoint, etc
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17154169
corphealth-

It would get to anything WITHIN it's own subnet (172.16.30.x) but if you have other internal subnets they would not be reachable, UNLESS you add routes locally into the PCs in question for the network you want them to get to.  This is a workable solution for a few clients.

from windows command line:

ROUTE ADD 172.16.40.0 MASK 255.255.255.0 172.16.30.1


Here is the windows help on the topic: You don't NEED the items after the gateway IP address

> route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
           destination^      ^mask      ^gateway     metric^    ^
                                                         Interface^
Thanks!

Justin
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17154676
Do not go that way, modify the access-list on the firewall and done.

Cheers,
Rajesh
0
 

Author Comment

by:corphealth
ID: 17155781
Ok, I tried those in ACL, did i need to interface with a serial to ad those?
i was at config# and it just wouldn't add any. wierd.
I got a temp solution, by using a .rat file from microsoft and enabling content advisor, it will only let her go to site that I allow.
I still need to learn how to add/remove ACL rules though.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 17156814
pix#config term
pix(config)#access-list restrict_outbound deny ip host 172.16.30.x any <== add for each host you want to deny
pix(config)#access-list restrict_outbound permit ip any any   <== allow everything else [important]
pix(config)#access-group restrict_outbound in interface inside  <== apply it to the interface
pix(config)#exit
pix#write mem


0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question