Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to block http traffic from one internal private address

Status
Not open for further replies.
rstitzel

rstitzel

MIS
Apr 24, 2002
286
US
I have a computer behind our pix firewall that I want to block from being able to surf the web. BUT I want the computer to be able to send and receive email. Currently our pix is set up to allow all our users to surf and send/receive email.

Please advise.

Thanks in advance for any and all help.
 
Sort by date Sort by votes
Hi.
I am in the same position. I have several computers behind our PIX 501, and need to block several from surfing the web and wasting time on their personal Hotmail and chatting. I would rather do this by blocking their internal IP if possible, and not spend more money on third party software. Right now I have granted access to all computers, but can I block certain individuals... or should I block certain ports?

Thanks for any advice. I'll be watching for this topic!
~C
 
Upvote 0 Downvote
If you use a proxy server then you will have to set this up on the proxy as this is the only machine that will be set for port 80 browsing. If you don'tuse a proxy then you could set up an ACL to allow browsing to all except that particular PC (if useing DHCP then I would add a reservation for that one PC so that it alwasy gets the same IP address). So lets say that you assign 192.168.20.100 to the offending machine.

It would look something like this;

Access-list 110 deny tcp host 192.168.20.100 any eq www
Access-list 110 deny tcp host 192.168.20.100 any eq 443
Access-list 110 permit tcp any any eq www
Access-list 110 permit tcp any any eq 443

you would then bind this to your internal interface

access-group 110 in interface inside
 
Upvote 0 Downvote
I added the following lines to my config:

access-list acl_out deny tcp host 192.168.x.x any eq www
access-list acl_out permit tcp any any eq www
access-group acl_out in interface inside

When I added those lines no one could get out to the internet. I took out the 1st line and still no one could get out. So I took out the 2nd line as well and it started working again.

Am I missing something?
 
Upvote 0 Downvote
Nevermind I found my answer in another post in this forum.

Here are the lines I added I it works:

access-list acl_out deny tcp host 192.168.x.x eq www
access-list acl_out permit ip any any
access-group acl_out in interface inside


This blocks 192.168.x.x from browsing the web but allows all other users to browse.

Thanks
 
Upvote 0 Downvote
I got my ip & any the wrong way around it should have read;

Access-list 110 deny tcp any host 192.168.20.100 eq www
Access-list 110 deny tcp any host 192.168.20.100 eq 443
Access-list 110 permit tcp any any eq www
Access-list 110 permit tcp any any eq 443

you would then bind this to your internal interface

access-group 110 in interface inside






 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
779
Sameer258
Sameer258
salanje87
  • Locked
  • Question
Block Broadcast storming.
Replies
3
Views
597
hairlessupportmonkey
hairlessupportmonkey
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
648
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
580
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
180
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top