how to block workstations from accessing the LAN

Discussion in 'Cisco' started by Alexis Crawford, Nov 12, 2003.

  1. Hello,

    A client of mine asked me to implement some configuration changes on
    their network. She would like 5 workstations to not have access to the
    lan but have access to the internet. These workstations must go
    through the pix as all workstations do. We have 7 switches and 2
    routers with a pix. We have 2 interfaces on the router and the pix.
    Is there a way to do this by configuring a vlan?
    I'll post my configs upon a reply?

    Cheers,
    Alexis
     
    Alexis Crawford, Nov 12, 2003
    #1
    1. Advertising

  2. In article <>,
    Alexis Crawford <> wrote:
    :A client of mine asked me to implement some configuration changes on
    :their network. She would like 5 workstations to not have access to the
    :lan but have access to the internet. These workstations must go
    :through the pix as all workstations do. We have 7 switches and 2
    :routers with a pix. We have 2 interfaces on the router and the pix.
    :Is there a way to do this by configuring a vlan?

    You indicate that you have two interfaces on the PIX, but you do
    not indicate which model of PIX is involved.

    You could probably do what you want with a couple of VLANs, but
    VLANs are not supported on the PIX 501, PIX 506, or PIX 506e.
    (Or the 510.) If you have a 515, 515E, 520, 525, or 535, then there
    is VLAN support, starting from PIX 6.3(1).

    Note: you would have to put those 5 workstations into a different
    IP address range.

    Question: should the workstations be able to access each other?
    If not then you would need one VLAN per workstation. The
    PIX 515 Restricted and PIX 515E Restricted would not support the
    resulting number of total interfaces, but the 515/515E Unrestricted
    and all the other models I list above can do it.
    --
    Rump-Titty-Titty-Tum-TAH-Tee -- Fritz Lieber
     
    Walter Roberson, Nov 13, 2003
    #2
    1. Advertising

  3. On 12 Nov 2003 10:50:25 -0800, (Alexis
    Crawford) wrote:

    >Hello,
    >
    >A client of mine asked me to implement some configuration changes on
    >their network. She would like 5 workstations to not have access to the
    >lan but have access to the internet. These workstations must go
    >through the pix as all workstations do. We have 7 switches and 2
    >routers with a pix. We have 2 interfaces on the router and the pix.
    >Is there a way to do this by configuring a vlan?
    >I'll post my configs upon a reply?
    >
    >Cheers,
    >Alexis


    Just give diferent scope of IP addresse to those 5 workstations, and
    make one simple access list on router interface. Something like this
    (where 10.1.1.x is IP scope for 5 workstations, and 10.x.x.x is for
    the rest):

    ip access-list extended ONLY_INTERNET
    deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip any any

    You do not need to change PIX configutation.

    Jura
     
    Juraj Ljubesic, Nov 14, 2003
    #3
  4. -cnrc.gc.ca (Walter Roberson) wrote in message news:<bp0fcl$aim$>...
    > In article <>,
    > Alexis Crawford <> wrote:
    > :A client of mine asked me to implement some configuration changes on
    > :their network. She would like 5 workstations to not have access to the
    > :lan but have access to the internet. These workstations must go
    > :through the pix as all workstations do. We have 7 switches and 2
    > :routers with a pix. We have 2 interfaces on the router and the pix.
    > :Is there a way to do this by configuring a vlan?
    >
    > You indicate that you have two interfaces on the PIX, but you do
    > not indicate which model of PIX is involved.



    The model is a 515 and as you mentioned i would have to put these 5
    workstations in a different subnet. If i can do this with a pix how
    would i configure the pix?

    Thanks
    >
    > You could probably do what you want with a couple of VLANs, but
    > VLANs are not supported on the PIX 501, PIX 506, or PIX 506e.
    > (Or the 510.) If you have a 515, 515E, 520, 525, or 535, then there
    > is VLAN support, starting from PIX 6.3(1).
    >
    > Note: you would have to put those 5 workstations into a different
    > IP address range.
    >
    > Question: should the workstations be able to access each other?
    > If not then you would need one VLAN per workstation. The
    > PIX 515 Restricted and PIX 515E Restricted would not support the
    > resulting number of total interfaces, but the 515/515E Unrestricted
    > and all the other models I list above can do it.
     
    Alexis Crawford, Nov 14, 2003
    #4
  5. -cnrc.gc.ca (Walter Roberson) wrote in message news:<bp0fcl$aim$>...
    > In article <>,
    > Alexis Crawford <> wrote:
    > :A client of mine asked me to implement some configuration changes on
    > :their network. She would like 5 workstations to not have access to the
    > :lan but have access to the internet. These workstations must go
    > :through the pix as all workstations do. We have 7 switches and 2
    > :routers with a pix. We have 2 interfaces on the router and the pix.
    > :Is there a way to do this by configuring a vlan?
    >
    > You indicate that you have two interfaces on the PIX, but you do
    > not indicate which model of PIX is involved.
    >
    > You could probably do what you want with a couple of VLANs, but
    > VLANs are not supported on the PIX 501, PIX 506, or PIX 506e.
    > (Or the 510.) If you have a 515, 515E, 520, 525, or 535, then there
    > is VLAN support, starting from PIX 6.3(1).
    >
    > Note: you would have to put those 5 workstations into a different
    > IP address range.
    >
    > Question: should the workstations be able to access each other?
    > If not then you would need one VLAN per workstation. The
    > PIX 515 Restricted and PIX 515E Restricted would not support the
    > resulting number of total interfaces, but the 515/515E Unrestricted
    > and all the other models I list above can do it.


    And yes the workstations must see each other.
     
    Alexis Crawford, Nov 14, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kev
    Replies:
    4
    Views:
    595
    Scooby
    Nov 17, 2003
  2. Mr Corbett

    ISR 1801W & wireless workstations

    Mr Corbett, Oct 26, 2005, in forum: Cisco
    Replies:
    0
    Views:
    442
    Mr Corbett
    Oct 26, 2005
  3. =?Utf-8?B?QWQgc2VjdXJpdHkgZ29vYg==?=

    Security for adding workstations

    =?Utf-8?B?QWQgc2VjdXJpdHkgZ29vYg==?=, May 6, 2004, in forum: MCSE
    Replies:
    3
    Views:
    1,199
    Spyke
    May 7, 2004
  4. =?Utf-8?B?RGF2ZUc3MA==?=

    Error adding workstations to a AD domain

    =?Utf-8?B?RGF2ZUc3MA==?=, May 27, 2004, in forum: MCSE
    Replies:
    4
    Views:
    467
    harryhp
    May 27, 2004
  5. Franky
    Replies:
    4
    Views:
    794
Loading...

Share This Page