Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

pix 501 access-list 1

Status
Not open for further replies.
emil60148

emil60148

IS-IT--Management
May 6, 2005
8
US
testing Pix 501,i need to allow for everybody in 192.168.1.0 except 192.168.1.3
but with this access-list i stop all users from going outside.
Can't figure out what I am doing wrong. Please help. Thanks

access-list inside_out deny tcp host 192.168.1.3 any eq www
access-list inside_out permit tcp 192.168.1.0 255.255.255.0 any eq www

access-group inside_out in interface inside
 
Sort by date Sort by votes
My gut reaction is it's a DNS issue. If you implement the access-list and your users have the ISP servers set for their DNS, DNS requests would be denied. You would need to add an additional line to the access-list permitting DNS services, like this:
access-list inside_out deny tcp host 192.168.1.3 any eq www
access-list inside_out permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_out permit udp 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.255 eq domain

(Substitute x's with your DNS server IP)
 
Upvote 0 Downvote
that should work beautifully.

although, you don't say specifically that you stop all outside, just that they can't access stuff.

this access list would block *.3 and allow everyone else but then deny all other traffic coming from the inside to out. What I would do..

access-list inside_out deny tcp host 192.168.1.3 any eq www
access-list inside_out permit ip any any
access-group inside_out in interface inside

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Thank you guys,

I just started adding rules and it works great! It was DNS issue as tbisset mentioned. Now i have this config and it works fine

access-list inside_out deny tcp host 192.168.1.3 any eq www
access-list inside_out permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_out permit tcp 192.168.1.0 255.255.255.0 any eq 995
access-list inside_out permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list inside_out permit udp 192.168.1.0 255.255.255.0 host xxx.xxx.xxx.xxx eq domain

Do you think i need to add TCP in the DNS requests ?
access-list inside_out permit tcp 192.168.1.0 255.255.255.0 host xxx.xxx.xxx.xxx eq domain

Thanks again, it looks like it's going to be a good Friday
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
371
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
138
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top