Denying internet traffic, while still allowing intranet traffic via PIX firewall ACL

Ok, so I have some computers I want to deny access to the internet.  The way I want to do this is assign them IP addresses of 172.16.30.X and have the firewall deny all outbound internet traffic, even just port 80 would do, from these ip's.
Is there  a way to do this?
thanks,
corphealthAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
pix#config term
pix(config)#access-list restrict_outbound deny ip host 172.16.30.x any <== add for each host you want to deny
pix(config)#access-list restrict_outbound permit ip any any   <== allow everything else [important]
pix(config)#access-group restrict_outbound in interface inside  <== apply it to the interface
pix(config)#exit
pix#write mem


0
 
corphealthAuthor Commented:
oh yeah, this is PIX515E running 61(4)
0
 
NYtechGuyCommented:
a few options:

1. remove default gateway entry from the PCs (only an admin could add it back)
(denies access from PC to anything outside local network/subnet)

2. access-list inside_access_out deny ip 172.16.30.0 255.255.255.0
(denies access from anything within the 172.16.30.x subnet to outside)

3. access-list inside_access_out deny ip 172.16.30.2 255.255.255.255
(denies the specific IP access to anything outside)

4. access list inside_access_out extended deny tcp 172.16.30.0 255.255.255.0 eq www
(denies port 80/www from anything within the 172.16.30.x subnet to outside)

5. access list inside_access_out extended deny tcp 172.16.30.2 255.255.255.255 eq www
(denies port 80/www from the specific IP to anything outside)

Please not your access lists may be named differently, so please keep in mind you may have to edit "inside_access_out" to your specific outbound access list name.

Thanks!

Justin
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
corphealthAuthor Commented:
I removed the default gateway, but then it wouldn't get to the internal sites, like sharepoint, etc
0
 
NYtechGuyCommented:
corphealth-

It would get to anything WITHIN it's own subnet (172.16.30.x) but if you have other internal subnets they would not be reachable, UNLESS you add routes locally into the PCs in question for the network you want them to get to.  This is a workable solution for a few clients.

from windows command line:

ROUTE ADD 172.16.40.0 MASK 255.255.255.0 172.16.30.1


Here is the windows help on the topic: You don't NEED the items after the gateway IP address

> route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
           destination^      ^mask      ^gateway     metric^    ^
                                                         Interface^
Thanks!

Justin
0
 
rsivanandanCommented:
Do not go that way, modify the access-list on the firewall and done.

Cheers,
Rajesh
0
 
corphealthAuthor Commented:
Ok, I tried those in ACL, did i need to interface with a serial to ad those?
i was at config# and it just wouldn't add any. wierd.
I got a temp solution, by using a .rat file from microsoft and enabling content advisor, it will only let her go to site that I allow.
I still need to learn how to add/remove ACL rules though.
0
All Courses

From novice to tech pro — start learning today.