Access-list. How can I block only one computer from the LAN to WWW

ixleplix · Feb 11, 2003

We have a Pix515 and need to block one problem users inside ip from accessing the internet. I thought I had the syntax correct when I entered the following;

access-list 150 deny tcp host 172.16.1.17 0.0.0.0 eq www
access-list 150 permit ip any any
access-group 150 in interface inside

and nothing happened?
From what I'd read this seemed to be the correct approach, what am I doing wrong?

brontosaurus · Feb 12, 2003

have you tried using the keyword "any" instead of 0.0.0.0?

tbissett · Feb 12, 2003

If you want to block ALL activity from the host, the commands would be the following:

access-list 150 deny ip host 172.16.1.17 any
access-list 150 permit ip any any
access-group 150 in interface inside

ixleplix · Feb 13, 2003

Thanks. We modified it to read

access-list 105 deny tcp host 172.16.50.2 any eq www
access-list 105 permit ip any any
access-group 105 in interface inside

and now it works like a charm!
Thanks again for the help.

ixleplix · Feb 13, 2003

Just in case your wondering the 1st ip 172.16.1.17 was a test and the 2nd 172.16.50.2 was the final implementation.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Access-list. How can I block only one computer from the LAN to WWW

ixleplix

MIS

brontosaurus

MIS

tbissett

IS-IT--Management

ixleplix

MIS

ixleplix

MIS

Similar threads

Part and Inventory Search

Sponsor