I wanted to restrict computer from my inside network from access certain network resources on the Internet. By default the PIX will allow traffic from a higher level security access to access through a lower level (i.e. Inside can go outside, but not vs.). This can be done by applying an inbound access-list to the inside interface.
It doesn't make sense setting up an inbound access-list to control outbound access, but you'll see how it works next.
nameif ethernet0 outside security0
nameif ethernet1 inside security100 !Below Line blocks ALL access to www.playboy.com
access-list 101 deny ip any host 209.247.228.201 !Below Lines allow ftp, dns, www, pop3, ntp, news, imap, and ssl
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq nntp
access-list 101 permit udp any any eq ntp
access-list 101 permit tcp any any eq imap4
access-list 101 permit tcp any any eq https !Below line applies this to the inbound of Inside
access-group 101 in interface inside
This access-list blocks every thing except DNS, News, HTTP, NTP, IMAP, POP3, SSL, FTP. It also blocks all access to 209.247.228.201.
You can modify this access-list to suite your needs. I use it to block access to instant messaging servers, and other servers that are normally permitted under the allowed ports.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.