• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 219
  • Last Modified:

Restrict internet access with PIX from all but one host

Need to restrict internetaccess to all but one internal IP address for anything outgoing, as we will be streaming a presentation and want to make sure no one else on the network takes any bandwidth.

What kind of access list would I need?
0
Mystical_Ice
Asked:
Mystical_Ice
  • 2
2 Solutions
 
The_KirschiCommented:
Which OS version on PIX? Which model?

Should be something like:

access-list <name of access-list> permit tcp host <internal ip> host <destination ip> eq http

Other http traffic is denied by default if this is your only access-list entry for http.

You also need to apply the access-list to your PIXes inside interface like:

access-group <name of access-list> in interface inside
0
 
Mystical_IceAuthor Commented:
Not sure of PIX OS

Not HTTP, I want to disable any traffic outbound - SSH, SMTP, anything.
0
 
The_KirschiCommented:
Any other outbound access is denied automatically when you configure an access-list for just a single host. There is an implicit "deny all".
0
 
dslam24Commented:
Pretty much the way Krischi said, just modify it a bit for all protocols

access-list <name of access-list> permit ip host <internal ip> host any

Then apply it to the inside interface.

access-group <name of access-list> in interface inside

this would block all traffic trying to go from inside your network out for everything except your
conferencing device.

One more thing, this will work OK if you are initiating traffic from the inside going outbound,
if you have a video conferencing system that is connecting to another and you initiate the call
this will work OK but if the far end has to request the call you may have some problems
depending on what your access-list looks like on your OUTSIDE interface.

In that case you also have to add a permission to your outside interface ACL something like

access-list <Outside_to_inside> permit ip <Source> host <internal ip>

it's probably best to find out what port numbers are being used and lock it down further.
0

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now