Solved

Restrict User Internet access through a Pix firewall

Posted on 2006-10-30
10
323 Views
Last Modified: 2013-11-16
I want to know the procedure, or if it is even possible, to restrict access to a group of individuals through my Cisco Pix 515 firewall.  I am running a DHCP network so I can not do it by IP address.  Any ideas??  
0
Comment
Question by:mklunk79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17835402
You can if you go for commercial products like WebSense.

Cheers,
Rajesh
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17836008
It also depends on what traffic you are looking to restrict ie is it web traffic or something else?
Secondly, what is the infrastructure between your users and the PIX? Do you have an internal firewall or Proxy server between them?
0
 

Author Comment

by:mklunk79
ID: 17836541
I want to restrict all http, https, and ftp traffice to these users.  I want to continue to allow smtp traffice, just no Internet.  I do not have a proxy server.  I have 5 locations all connected via PTP t1 with a firewall sitting infront of the internet router.  The firewall internal interface is on my LAN that connects to the core router.  The external interface is public.  Let me know if this did not clear up the question for you, or you need more info.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 9

Accepted Solution

by:
jjoseph_x earned 43 total points
ID: 17837263
It'd be a bit of a pain, but can do that with access-lists and the necessary access-group statement.  However you'll have two problems:

1) you'll have to create explicit denies for each user (if all users are on the same subnet).
2) you'll have to create an explict allow over everyone use for those services (which is just a single access-list).

Maintaining the list could be a pain if the addresses for which you want to block access could change (i.e. you're not using DHCP reservations).

You'd coud something like this:

access-list inbound-out deny TCP any host xxx.xxx.xxx.xxx eq ftp    <--- blocks FTP for that IP
access-list inbound-out deny TCP any host xxx.xxx.xxx.xxx eq http  <--- blocks http for that IP
access-list inbound-out deny TCP any host xxx.xxx.xxx.xxx eq https <--- blocks https for that IP
access-list inbount-out permit IP any any                                      <--- allows all IP services for everyone else
access-group inbound-out in internet inside                                  <--- binds the access-list to the inside interface

The denies have to come before the permit because the access-list is processed like a chain (from top to bottom), so those who match the host address will be blocked (as the rule applies to them) whereas those who don't will be allowed.

However, you'd be better-off with using something like ISA Server or Websense than only the PIX.  It will be a pain to manage the access-list if the address change (i.e. relatively short DHCP leases) or if you have lots of users to add (you'd need the three denies for each user).





0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 41 total points
ID: 17856179
You could also try what Cisco has called "cut-through proxy" authentication through the PIX for certain services such as http and ftp.  See the following link under the section "Configuring AAA":

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1090040

You can define usernames and passwords either locally on the PIX or on an external RADIUS server.  Everytime the PIX sees traffic that matches a service you have specified with the "aaa authentication include" command, it will prompt the user for credentials.  This may fit your need.
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 17858707
batry boy, isn't that for incoming connections as opposed to outgoing connections?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 41 total points
ID: 17859566
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17859609
No, it can be used for outbound connections. See the "aaa authentication" command in the PIX Firewall Command Reference for details.

Specifically,

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1111727

Regards...
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question