Solved

Denying internet traffic, while still allowing intranet traffic via PIX firewall ACL

Posted on 2006-07-21
7
311 Views
Last Modified: 2013-11-16
Ok, so I have some computers I want to deny access to the internet.  The way I want to do this is assign them IP addresses of 172.16.30.X and have the firewall deny all outbound internet traffic, even just port 80 would do, from these ip's.
Is there  a way to do this?
thanks,
0
Comment
Question by:corphealth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 

Author Comment

by:corphealth
ID: 17153851
oh yeah, this is PIX515E running 61(4)
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17153956
a few options:

1. remove default gateway entry from the PCs (only an admin could add it back)
(denies access from PC to anything outside local network/subnet)

2. access-list inside_access_out deny ip 172.16.30.0 255.255.255.0
(denies access from anything within the 172.16.30.x subnet to outside)

3. access-list inside_access_out deny ip 172.16.30.2 255.255.255.255
(denies the specific IP access to anything outside)

4. access list inside_access_out extended deny tcp 172.16.30.0 255.255.255.0 eq www
(denies port 80/www from anything within the 172.16.30.x subnet to outside)

5. access list inside_access_out extended deny tcp 172.16.30.2 255.255.255.255 eq www
(denies port 80/www from the specific IP to anything outside)

Please not your access lists may be named differently, so please keep in mind you may have to edit "inside_access_out" to your specific outbound access list name.

Thanks!

Justin
0
 

Author Comment

by:corphealth
ID: 17154058
I removed the default gateway, but then it wouldn't get to the internal sites, like sharepoint, etc
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17154169
corphealth-

It would get to anything WITHIN it's own subnet (172.16.30.x) but if you have other internal subnets they would not be reachable, UNLESS you add routes locally into the PCs in question for the network you want them to get to.  This is a workable solution for a few clients.

from windows command line:

ROUTE ADD 172.16.40.0 MASK 255.255.255.0 172.16.30.1


Here is the windows help on the topic: You don't NEED the items after the gateway IP address

> route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
           destination^      ^mask      ^gateway     metric^    ^
                                                         Interface^
Thanks!

Justin
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17154676
Do not go that way, modify the access-list on the firewall and done.

Cheers,
Rajesh
0
 

Author Comment

by:corphealth
ID: 17155781
Ok, I tried those in ACL, did i need to interface with a serial to ad those?
i was at config# and it just wouldn't add any. wierd.
I got a temp solution, by using a .rat file from microsoft and enabling content advisor, it will only let her go to site that I allow.
I still need to learn how to add/remove ACL rules though.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17156814
pix#config term
pix(config)#access-list restrict_outbound deny ip host 172.16.30.x any <== add for each host you want to deny
pix(config)#access-list restrict_outbound permit ip any any   <== allow everything else [important]
pix(config)#access-group restrict_outbound in interface inside  <== apply it to the interface
pix(config)#exit
pix#write mem


0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question