I am adding an internal firewall to separate two networks, one public and one private. What I need is people on the public network to access a webserver while at the same time blocking all other traffic so nobody can access the private domain. Generally the public will need internet access (not a problem) but occasionally access internal webservers in the primary network. I have been able to do one or the other, but not both. Right now people can access both the WAN and private LAN. If I put in restrictions I block all access, both private network as well as internet.
If I put in the following config it does not work: access-list 101 permit tcp 192.168.1.0 255.255.255.0 host
192.168.111.4 eq www access-list 101 deny ip any 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0This just give me an error when I try to enter (syntax). I was able to put in an ACL that did block all 192.168.111.0 network, but the problem with this is then I can not access the gateway.
Here is a basic outline of the networks in order T1 PIX506 1 -Network 1 (Private) 63.xxx.xxx.x > 192.168.111.0/24 PIX506 2 -Network 2 (Public) 192.168.111.30 > 192.168.1.0/24 (Need to access webserver 192.168.111.3 but NOTHING else)
Here is the current config: PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 domain-name cpi.local.com names icmp permit any outside icmp permit any inside ip address outside 192.168.111.30 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 192.168.111.40 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) 192.168.111.31 192.168.1.2 netmask
255.255.255.255 0 0 static (inside,outside) 192.168.111.32 192.168.1.3 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.111.33 192.168.1.4 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.111.34 192.168.1.5 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.111.35 192.168.1.6 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 PIX506 1 dhcpd dns 209.150.200.10 64.65.128.6 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain cpi.local2.com dhcpd enable inside