trying to block a range of IP's from using the web

need syntax to block a range of IP address using the web in any way ( they just need to reach an internal server) , so I want to stop them from getting out or anything from the web reaching them. These machines are in the range of to 0.254

I have(but it's been months since I did PIX/cicso , and boy am I rusty) an access list now with commands like

access-list outside_access_in permit icmp any any echo

access-list outside_access_in permit tcp any host range 10000


access-list outside_access_in permit icmp any any echo-reply

access-group outside_access_in in interface outside

Can I just add to it to block anything coming in to a subnet ? I suppose I can do this:

access-list outside_access_in deny ip deny any 1982.168.0.0 (can I ?)

But of course that would block the owner , on 0.4 - so is there syntax for a range of IP's ? ?

Or should I create a new access group for anything leaving the inside interface ?

Something like

access-group inside_access_out in interface inside

access-list inside_access_out deny any

(the inside interface : ip address inside

But again, this would stop any machine on the inside from getting to the inside interface on the PIX ( at least I think that's what I'm saying.)

Any help offered on syntax or concepts much appreciated .

Reply to
Barrett Bonden
Loading thread data ...

Must have dropped a few characters there, since the upper end of a port range must be greater than the lower end.

Remember the PIX uses netmask format, so that would have to be

There is no syntax for a range of IPs. You can create an object-group that nominates them all, as in

object-group network InternalOnly network-object network-object network-object network-object network-object network-object network-object network-object network-object network-object network-object network-object host

access-list outside_access_in deny ip any object-group InternalOnly

It mystifies me, though, as to why you want to permit your broadcast IP, to send packets to the outside. The object-group would be only half as long if you were to block all of

If you want to prevent outgoing traffic then you need to work with the inside interface ACL: the PIX will automatically permit back in responses to traffic initiated from inside that was permitted out.

Another item to note is that when you are working with the outside interface ACL, that all destination IPs must be the *public* IPs for the hosts -- the destinations as they would appear in the packets that the external hosts are sending to. Unless you are working with a completely private network, those public IPs are not going to be 192.168.0.x .

There is a completely different way to solve this problem that you might find easier to configure:

Packets are only allowed out for internal hosts for which there is a defined IP address translation -- a static or nat. Therefor, if you want to deny hosts from going outside, you can do it by not defining any address translation for them. Instead of having,

nat (inside) 1

instead have

nat (inside) 1 nat (inside) 1

Then you don't need any ACL: the PIX just won't allow the traffic because it won't know what public IP address to use for it.

The main difference between this and the inside interface ACL case is in the log messages that will be produced for the two cases.

Reply to
Walter Roberson


Many thanks, as always. The idea of specific NAT's , as in

appeals to me. I've started to re-read my old Pix books, but still don't see why you have those "subnet like" masks (as in .254) for use with a specific inside IP. Walter, if I wanted to specify just a few inside IP's(the owner's, say, and one other) to get out, would I not do it like nat (inside) 1 ? for just one machine ? My books tell me this will be seen as one host .

Reply to
Barrett Bonden

You wanted .10 to .254 to be blocked, which means you want to permit .8 and .9 . You could do that via or you can do it via because .8 falls on /31 boundary.


Reply to
Walter Roberson

If you ever come to Long Island, New York , let me buy you a beer. This was (is ) the only Cisco client I have; I never picked up more work from the PIX install, and so all the reading I did just drifted out of my head ...I read quite a bit on subnet math , but without use .......

Many thanks -

Reply to
Barrett Bonden Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.