1. Home
  2. Cisco Systems
  3. PIX 506e Firewall

PIX 506e Firewall

Im not sure if this is the correct board to be posting this to, if not please point me in the correct direction. Anyway I have a PIX 506e Firewall and I want to deny all internet traffic to 5 internal IP addresses 192.168.2.80-192.168.2.85 I believe I have to create an ACL for this then an access group, but I am unsure of the syntax of the access-list

I think the access-list is like so:

access-list inside_out deny ip 192.168.2.80 255.255.255.255

216.110.76.32 255.255.255.255

Where 216.110.76.32 is my outside interface IP address given to me by my ISP.

the access-group is something like this I think:

access-group inside_out in interface inside

Any help would be greatly appreciated

Thanks in advance :-)

Jeremiah

Reply to
jeremiah.meyers
Loading thread data ...

access-list inside_out deny ip 192.168.20.80 255.255.255.252 any access-list inside_out deny ip 192.168.20.84 255.255.255.255 any access-list inside_out permit ip any any access-group inside_out in interface inside

Reply to
Brian V

Brian,

Thank you, one last question though... The deny entries take charge over the permit entries correct?

Jeremiah

Brian V wrote:

Reply to
jeremiah.meyers

traffic TO internal adresses? meaning from outside to inside?

that would be blocked by default, I believe I have to create an ACL

if you want to block from inside to outside access-list inside_out deny ip host 192.168.2.80 any

what version do you have, you probably could make an object group for the 5 ip's...

you won't need this

correct,

M
Reply to
mak

Mark, I want to block from inside addresses to the outside address so if a computer has an IP address of 192.168.2.80 The computer will have access to all Network resources printers servers, and computers but no internet access.

Here is my PIX version and PDM version as well.

Cisco PIX Firewall Version 6.2(2) Cisco PIX Device Manager Version 2.0(2)

Thanks Jeremiah

Reply to
jeremiah.meyers

Yes, that is correct, it actually reads top down. On the bottom of all ACL's is a deny ip any any, which is why the permit ip any any is needed or no traffic would flow thru the interface. You cannot see the deny ip any statement, in reality your ACL looks like this: access-list inside_out deny ip 192.168.20.80 255.255.255.252 any access-list inside_out deny ip 192.168.20.84 255.255.255.255 any access-list inside_out permit ip any any access-list inside_out deny ip any any

Reply to
Brian V

that doesn't apply to the inside interface though, right? I have many Pixen where I don't have an explizit permit from inside to outside...

M
Reply to
mak

It applies to all interfaces, in all directions, in IOS and in PIX OS, and all other places where ACLs occur, that I have ever looked at in Cisco documentation: if an ACL has been configured, then there is

*always* a default deny at the end of it.

What that default deny -means- can be strange sometimes -- for example, a deny on a route-map can turn out, in context, to mean "do not reroute traffic, let it flow normally".

On the other hand, if no ACL has been configured, the default behaviour varies with software rev and with circumstances too complex to state simply.

Recall too that in PIX, the interface ACLs are ignored for VPN traffic if you have configured the appropriate sysopt connection permit-* command.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.