This worked fine on my PIX 501 Version 6.3(5)
access-list acl_in deny tcp host 192.168.0.16 any eq 80
access-group acl_in in interface inside
(access to the web was blocked on this computer ONLY, and others could browse the web, just as I wanted )
On a slightly older and larger PIX at a customer ( a model 535 I think, from 2003) the same
syntax stopped all traffic to the web on all computers.
I then added this statement:
access-list acl_in permit tcp any any
but it didn't help. I was sure to "clear xlate" in all tests. This was the
only access-group on the inside interface. I then tried these commands on an existing
access-group on the outside interface, with the same problematic results. Is it a matter of sequence ? Does it matter which statements come first ?
Help ! How to stop web traffic for just one PC ?