Internal ACL - Web Access

[secureinc]

I need to deny a group of internal IP's Internet access. Please assist. Let's just say that I need to deny the range of 192.168.0.50 - 192.168.0.100 for Internet access. What is the proper ACL and Access-Group to set this up?

Thank you....

 

[routerman]

You would use an access list with the following syntax:
access-list 101 deny ip 192.168.0.0 255.255.255.0 any
access-list 101 permit ip any any
access-group 101 in interface inside

This example would block all those internal ip addresses in the range 192.168.0.0 to 192.168.0.254, this is determined by the mask 255.255.255.0

if you wanted to block a subnetted range then mask of 255.255.255.192 would block 192.168.0.0 to .63

access-list 101 deny ip 192.168.0.64 255.255.255.192 any would block .64 to .127 and so on.

To block the range you specified, you would use multiple entries in the access list.

Remember the implicit deny at the end of the access list, If you didnt enter access-list 101 permit any any you would stop all internal access to the outside world.

A more flexible way of preventing access to the outside would be to use cut through proxy, this provides a username/password challenge that can be authenticated against a Radius database, such as provided with Win2K server.