Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-List for pix 515

Status
Not open for further replies.
bobo0605

bobo0605

MIS
Dec 4, 2003
71
US
Hi, I'm trying to create an access-list to prevent some workstations from getting to the internet. Everytime i create a list it knocks everyone off the internet. Here;s my current configuration:

Access-list 110 deny tcp host 192.168.#.# eq www
Access-list 110 permit tcp any any eq www
Access-group 110 in interface inside

Any ideas would be appreciated!!!
 
Sort by date Sort by votes
Have you tried:

access-list 110 deny tcp host 192.168.x.x any eq www
access-list 110 permit tcp any any eq www

access-group 110 in interface inside

Now you've got to be careful. What you've essentially done is ONLY permit port 80 for inside users to access the internet (minus the one user with the first deny). If anyone is using a TCP other than port 80, they will be denied. At the end of every cisco access list is an explicit DENY. It's not shown but it's there by default. So actually your access-list reads:

access-list 110 deny tcp host 192.168.x.x any eq www
access-list 110 permit tcp any any eq www
access-list 110 deny ip any any (explicit deny all)

access-group 110 in interface inside

hope this helps.


 
Upvote 0 Downvote
Just to add to my first reply:

You may want to adjust you access-list to read like this:

access-list 110 deny ip host 192.168.x.x any
access-list 110 permit ip any any

access-group 110 in interface inside

This way you deny all traffic for the single host and permit all traffic for all others.

Hope this helps
 
Upvote 0 Downvote
Are your DNS servers allow udp 53? I don't see it on your access-list.

I wouldn't permit ip any any, but this list will probably be good for you.

access-list 110 deny tcp host 192.168.x.x any eq www
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
access-list 110 permit tcp any any eq 20
access-list 110 permit tcp any any eq 21
access-list 110 permit udp any any eq 53
access-list 110 permit tcp host xxx.xxx.xxx.xxx any eq smtp
!replace xxx.xxx.xxx.xxx with your email server

access-group 110 in interface inside
 
Upvote 0 Downvote
Thanks! For the input. I will give these configurations a try and let you know how they go.
 
Upvote 0 Downvote
i have an application which uses smtp to send emails. I want that to be blocked by the firewall ( PIX 501 ) only for that particular public ip 216.181.x.x which is mapped to an internal ip 192.168.x.x.

Thanks
Mathew
 
Upvote 0 Downvote
i want to block all emails which is generated from this application , from only 216.181.x.x not to go out of the firewall.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
555
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
487
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
663
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
134
WhosYourDiffie
WhosYourDiffie
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
225
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top