I want to limit web browsing for a specific machine, allowing all others.
Am I better off doing this on the inside or outside interface ?
How do I control the order of the commands in the access-list ? Is it just a matter of entry order ?
Is this syntax correct for the inside ?
Access-list ach-in deny tcp host 192.168.0.22 any eq 80
Access-list ach-in permit ip any any
Access-list ach-in in interface inside
Inside, for sure.
Yes. Though if you have a late enough version of PIX OS, you can use "line" modifiers to insert before specific lines or delete specific lines.
I do not recall at the moment whether "access-list" is case-sensitive. The syntax for the rest looks fine. As a practical matter, though, you may also wish to block common proxy ports as well as port 80. You might find that easier to manage if you use a port-object to create the list of ports and then use
access-list ach-in deny tcp host 192.168.0.22 any object-group blocked_ports
To apply the list on the interface you would need the access-group command
access-group ach-in in interface inside
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.