PIX - I deny everything ! (an inside job)

- B
- barret bonden
  
  Contact options for registered users
posted
16 years ago

Wed, Dec 5, 2007 3:50 PM

This worked fine on my PIX 501 Version 6.3(5)

access-list acl_in deny tcp host 192.168.0.16 any eq 80

access-group acl_in in interface inside

(access to the web was blocked on this computer ONLY, and others could browse the web, just as I wanted )

On a slightly older and larger PIX at a customer ( a model 535 I think, from 2003) the same

syntax stopped all traffic to the web on all computers.

I then added this statement:

access-list acl_in permit tcp any any

but it didn't help. I was sure to "clear xlate" in all tests. This was the

only access-group on the inside interface. I then tried these commands on an existing

access-group on the outside interface, with the same problematic results. Is it a matter of sequence ? Does it matter which statements come first ?

Help ! How to stop web traffic for just one PC ?

Loading thread data ...

- C
- Christoph Gartmann
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Wed, Dec 5, 2007 6:36 PM

Somewhat strange. Usually you would need a permit statement as well for all the other non-blocked computers.

Yes, it does. Important is the sequence of statements in the running configuration. In addition I would use access-list acl_in permit ip any any

access-list acl_in deny tcp host 192.168.0.16 any eq 80 access-list acl_in permit ip any any

And finally at the interface in question: access-group acl_in interface name_of_interface in

Regards, Christoph Gartmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.