Solved

Restrict internet access with PIX from all but one host

Posted on 2011-09-23
4
203 Views
Last Modified: 2012-05-12
Need to restrict internetaccess to all but one internal IP address for anything outgoing, as we will be streaming a presentation and want to make sure no one else on the network takes any bandwidth.

What kind of access list would I need?
0
Comment
Question by:Mystical_Ice
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 300 total points
ID: 36591465
Which OS version on PIX? Which model?

Should be something like:

access-list <name of access-list> permit tcp host <internal ip> host <destination ip> eq http

Other http traffic is denied by default if this is your only access-list entry for http.

You also need to apply the access-list to your PIXes inside interface like:

access-group <name of access-list> in interface inside
0
 

Author Comment

by:Mystical_Ice
ID: 36594325
Not sure of PIX OS

Not HTTP, I want to disable any traffic outbound - SSH, SMTP, anything.
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36594408
Any other outbound access is denied automatically when you configure an access-list for just a single host. There is an implicit "deny all".
0
 
LVL 2

Assisted Solution

by:dslam24
dslam24 earned 200 total points
ID: 36893721
Pretty much the way Krischi said, just modify it a bit for all protocols

access-list <name of access-list> permit ip host <internal ip> host any

Then apply it to the inside interface.

access-group <name of access-list> in interface inside

this would block all traffic trying to go from inside your network out for everything except your
conferencing device.

One more thing, this will work OK if you are initiating traffic from the inside going outbound,
if you have a video conferencing system that is connecting to another and you initiate the call
this will work OK but if the far end has to request the call you may have some problems
depending on what your access-list looks like on your OUTSIDE interface.

In that case you also have to add a permission to your outside interface ACL something like

access-list <Outside_to_inside> permit ip <Source> host <internal ip>

it's probably best to find out what port numbers are being used and lock it down further.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco sg 200 trunking 4 29
Help with a subnetting question 7 58
Cisco Aironet 1140: setting up basic SSID 12 35
WLC and radius 4 12
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question