need syntax to block a range of IP address using the web in any way ( they just need to reach an internal server) , so I want to stop them from getting out or anything from the web reaching them. These machines are in the range of 192.168.0.10 to 0.254
I have(but it's been months since I did PIX/cicso , and boy am I rusty) an access list now with commands like
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
10access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
Can I just add to it to block anything coming in to a subnet ? I suppose I can do this:
access-list outside_access_in deny ip deny any 1982.168.0.0 0.0.0.255 (can I ?)
But of course that would block the owner , on 0.4 - so is there syntax for a range of IP's ? ?
Or should I create a new access group for anything leaving the inside interface ?
Something like
access-group inside_access_out in interface inside
access-list inside_access_out deny any 192.168.0.2 255.255.255.0
(the inside interface : ip address inside 192.168.0.2 255.255.255.0)
But again, this would stop any machine on the inside from getting to the inside interface on the PIX ( at least I think that's what I'm saying.)
Any help offered on syntax or concepts much appreciated .