deny host in pix 525

[ciscoLover]

Hi all:
I have pix 525 with four interfaces,
outside x.x.62.63
inside-1 192.168.1.1
DMZ 192.168.0.1
inside-2 172.0.0.1
I want to deny several users in ntework inside-2 from using internet (

http://www),

these are the users ip :
172.0.0.6
172.0.0.11
172.0.0.12
172.0.0.30
please help me with access list i must do.

 

[dopehead]

Well, you need to define if they need access to any of your dmz's ?

If not then the acl should be :

access-list acl_inside-2 deny ip host 172.0.0.6 any
access-list acl_inside-2 deny ip host 172.0.0.11 any
access-list acl_inside-2 deny ip host 172.0.0.12 any
access-list acl_inside-2 deny ip host 172.0.0.30 any
access-list acl_inside-2 permit ip any any

access-group acl_dmz in interface inside-2

If you need those hosts to reach anything through the pix you will need to permit it before those deny statements.

Jan



Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[quickconnect]

Should'nt say

access-list acl_inside-2 deny ip host 172.0.0.6 eq www
access-list acl_inside-2 deny ip host 172.0.0.11 eq www
access-list acl_inside-2 deny ip host 172.0.0.12 eq www
access-list acl_inside-2 deny ip host 172.0.0.30 eq www
access-list acl_inside-2 permit ip any any

access-group acl_dmz in interface inside-2

 

[lgarner]

Perhaps, though the original post was somewhat confusing by indicating a desire to block "internet(

http://www)".

If it's "internet", then the first response is correct. If only web "(

http://www)"

access should be blocked, then quickconnect is right.