pix 515; limit internal users to one web page

[eolvera]

I have a pix 515 ver 4.4 letting users go outside to internet without restrictions, now i need that some users access only one web page. This is my config.

pixfirewall# write term
Building configuration...
: Saved
:
PIX Version 4.4(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd PLM6cNynphMCxKDc encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 37
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 148.235.128.xxx 255.255.255.240
ip address inside 10.90.1.252 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
arp timeout 14400
global (outside) 1 148.235.128.yyy
global (dmz) 1 172.16.1.129-172.16.1.253
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 1 172.16.1.0 255.255.255.0 0 0
static (inside,outside) 148.235.128.aaa 10.90.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 148.235.128.bbb 10.3.1.252 netmask 255.255.255.255 0 0
static (inside,outside) 148.235.128.ccc 10.90.1.35 netmask 255.255.255.255 0 0
static (inside,outside) 148.235.128.ddd 10.90.1.1 netmask 255.255.255.255 0 0
static (dmz,outside) 148.235.128.eee 172.16.1.18 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.29 10.90.1.129 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.100 10.90.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 148.235.128.fff 10.90.1.129 netmask 255.255.255.255 0 0
conduit permit tcp any any
conduit permit udp any any
conduit permit icmp any any
conduit permit tcp host 172.16.1.29 any
conduit permit tcp host 172.16.1.100 any
outbound 5 permit 10.90.1.20 255.255.255.255 0 0
outbound 10 permit 10.90.103.10 255.255.255.255 0 0
outbound 10 permit 10.90.105.112 255.255.255.255 0 0

approximately 400 permits belonging to outbound 10.

outbound 10 permit 10.90.102.98 255.255.255.255 0 0
outbound 10 permit 10.90.103.29 255.255.255.255 0 0
outbound 10 permit 10.32.3.10 255.255.255.255 0 0
outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp
apply (inside) 10 outgoing_src
apply (inside) 5 outgoing_src
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip dmz passive
no rip dmz default
route outside 0.0.0.0 0.0.0.0 148.235.128.209 1
route inside 10.0.0.0 255.0.0.0 10.90.1.254 1
timeout xlate 0:10:00 conn 0:10:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 10.90.100.100 255.255.255.255
telnet timeout 20
no floodguard enable
terminal width 80
Cryptochecksum:6127886f6b4d5bfaea0541d79e99f1ad
: end
[OK]

I tried the next but it doesn´t work:
outbound 3 permit ip_add_of_web_page 255.255.255.255 80 tcp
apply (inside) 3 outgoing_dest

trying to let users that doesn't exist in outbound 10, access ip_add_of_web_page.

When i try the samples of the pix manual, they doesn't work at all. I suppose because they always start with 'deny all' and it doesn't take account of the next permits....

Have somebody try groups of outbounds???

 

[Bluecrack]

Let me preface this reply but saying, I'm not as familiar with using 4.x version as I am with new versions. However, I believe the problem is that you need to add the users to the outbound 10 list and just permit tcp access on port 80 to the address of the web server (or addresses if the server has multiple addresses - dns load balancing).

Also fyi, you should probably delete the passwords from the config before posting. There are several utilities that can be used to decrypt the passwords.