How to restrict certain client from accessing NAT server

Hi,

I setup windows 2003 server SP1 as a NAT server to share internet connection to my LAN client.

I wish to block some client from accessing the internet, so can you show me what sort of configuration should I do to achieve this? I believe the basic firewall in windows 2003 server can do this. But I don't know how.


Kind regards,

mrpc_cambodia
mrpc_cambodiaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael WorshamStaff Infrastructure ArchitectCommented:
Are the PCs that are going through your Server have a static or DHCP IP address?
0
mrpc_cambodiaAuthor Commented:
All those client have dhcp address. I use the same server to act as DHCP server.
0
Michael WorshamStaff Infrastructure ArchitectCommented:
You can setup the DHCP to exclude the user's PC MAC address, thus not assign them a Internet gateway.
http://www.windowsnetworking.com/articles_tutorials/DHCP_Server_Windows_2003.html
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

mrpc_cambodiaAuthor Commented:
Thanks for your comment.

what if the user know the ip of the gateway and he change his pc to static ip and assign the gateway by himself, then he will still can access the internet.

can we do something on the firewall so that a certain ip or mac address will be blocked from going through the NAT?


Thanks,

0
Michael WorshamStaff Infrastructure ArchitectCommented:
No. The Microsoft Server firewall doesn't have the capibility for handing/filtering MAC addresses.

However, you could get a cheap NAT-based router (i.e. Linksys BEFSX41) and have it handle the MAC address filtering to block it from accessing the Internet. The Linksys BEFSX41 has a very easy to use web interface and you can block the access to that PC's MAC address with a time limit or whatever you like.

Linksys BEFSX41 VPN/Endpoint Router:
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1130276636538&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=3653822279B01
0
mrpc_cambodiaAuthor Commented:
Could you also recommend me a software solution to block access based on IP or MAC address?

Thank you,
0
Michael WorshamStaff Infrastructure ArchitectCommented:
There aren't any 'free' software solutions for MAC filtering firewalls, however I was able to find a site that has a trial software and works on Server 2003:

VisNetic Firewall (http://www.deerfield.com/products/visnetic-firewall/)

MAC Address Filtering
VisNetic Firewall now has the ability to filter traffic based on MAC addresses. Because a MAC address is specific to one individual network interface, this feature is particularly useful if you want to allow or block traffic from a particular computer whose IP address may change.

Added Features:
http://www.deerfield.com/products/visnetic-firewall/features/fulllist.htm

Trial: http://www.deerfield.com/download/visnetic-firewall/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrpc_cambodiaAuthor Commented:
Thanks so much. You're so helpful.
0
Michael WorshamStaff Infrastructure ArchitectCommented:
Glad I could help.

-- Michael
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.