PIX 506e Firewall

Discussion in 'Cisco' started by jeremiah.meyers@gmail.com, Jan 11, 2007.

  1. Guest

    Im not sure if this is the correct board to be posting this to, if not
    please point me in the correct direction. Anyway I have a PIX 506e
    Firewall and I want to deny all internet traffic to 5 internal IP
    addresses 192.168.2.80-192.168.2.85 I believe I have to create an ACL
    for this then an access group, but I am unsure of the syntax of the
    access-list

    I think the access-list is like so:

    access-list inside_out deny ip 192.168.2.80 255.255.255.255
    216.110.76.32 255.255.255.255

    Where 216.110.76.32 is my outside interface IP address given to me by
    my ISP.

    the access-group is something like this I think:

    access-group inside_out in interface inside

    Any help would be greatly appreciated

    Thanks in advance :)

    Jeremiah
     
    , Jan 11, 2007
    #1
    1. Advertising

  2. Brian V Guest

    <> wrote in message
    news:...
    > Im not sure if this is the correct board to be posting this to, if not
    > please point me in the correct direction. Anyway I have a PIX 506e
    > Firewall and I want to deny all internet traffic to 5 internal IP
    > addresses 192.168.2.80-192.168.2.85 I believe I have to create an ACL
    > for this then an access group, but I am unsure of the syntax of the
    > access-list
    >
    > I think the access-list is like so:
    >
    > access-list inside_out deny ip 192.168.2.80 255.255.255.255
    > 216.110.76.32 255.255.255.255
    >
    > Where 216.110.76.32 is my outside interface IP address given to me by
    > my ISP.
    >
    > the access-group is something like this I think:
    >
    > access-group inside_out in interface inside
    >
    > Any help would be greatly appreciated
    >
    > Thanks in advance :)
    >
    > Jeremiah
    >


    access-list inside_out deny ip 192.168.20.80 255.255.255.252 any
    access-list inside_out deny ip 192.168.20.84 255.255.255.255 any
    access-list inside_out permit ip any any
    access-group inside_out in interface inside
     
    Brian V, Jan 11, 2007
    #2
    1. Advertising

  3. Guest

    Brian,

    Thank you, one last question though... The deny entries take charge
    over the permit entries correct?

    Jeremiah

    Brian V wrote:
    > <> wrote in message
    > news:...
    > > Im not sure if this is the correct board to be posting this to, if not
    > > please point me in the correct direction. Anyway I have a PIX 506e
    > > Firewall and I want to deny all internet traffic to 5 internal IP
    > > addresses 192.168.2.80-192.168.2.85 I believe I have to create an ACL
    > > for this then an access group, but I am unsure of the syntax of the
    > > access-list
    > >
    > > I think the access-list is like so:
    > >
    > > access-list inside_out deny ip 192.168.2.80 255.255.255.255
    > > 216.110.76.32 255.255.255.255
    > >
    > > Where 216.110.76.32 is my outside interface IP address given to me by
    > > my ISP.
    > >
    > > the access-group is something like this I think:
    > >
    > > access-group inside_out in interface inside
    > >
    > > Any help would be greatly appreciated
    > >
    > > Thanks in advance :)
    > >
    > > Jeremiah
    > >

    >
    > access-list inside_out deny ip 192.168.20.80 255.255.255.252 any
    > access-list inside_out deny ip 192.168.20.84 255.255.255.255 any
    > access-list inside_out permit ip any any
    > access-group inside_out in interface inside
     
    , Jan 11, 2007
    #3
  4. mak Guest

    wrote:
    > Im not sure if this is the correct board to be posting this to, if not
    > please point me in the correct direction. Anyway I have a PIX 506e
    > Firewall and I want to deny all internet traffic to 5 internal IP
    > addresses 192.168.2.80-192.168.2.85

    traffic TO internal adresses?
    meaning from outside to inside?

    that would be blocked by default,
    I believe I have to create an ACL
    > for this then an access group, but I am unsure of the syntax of the
    > access-list
    >
    > I think the access-list is like so:
    >
    > access-list inside_out deny ip 192.168.2.80 255.255.255.255

    if you want to block from inside to outside
    access-list inside_out deny ip host 192.168.2.80 any

    what version do you have, you probably could make an object group for the 5 ip's...
    > 216.110.76.32 255.255.255.255


    you won't need this
    > Where 216.110.76.32 is my outside interface IP address given to me by
    > my ISP.
    >
    > the access-group is something like this I think:
    >
    > access-group inside_out in interface inside


    correct,
    > Any help would be greatly appreciated
    >
    > Thanks in advance :)
    >
    > Jeremiah
    >


    M
     
    mak, Jan 11, 2007
    #4
  5. Guest

    Mark,
    I want to block from inside addresses to the outside address so if a
    computer has an IP address of 192.168.2.80 The computer will have
    access to all Network resources printers servers, and computers but no
    internet access.

    Here is my PIX version and PDM version as well.

    Cisco PIX Firewall Version 6.2(2)
    Cisco PIX Device Manager Version 2.0(2)


    Thanks
    Jeremiah
     
    , Jan 11, 2007
    #5
  6. Brian V Guest

    <> wrote in message
    news:...
    > Brian,
    >
    > Thank you, one last question though... The deny entries take charge
    > over the permit entries correct?
    >
    > Jeremiah
    >
    > Brian V wrote:
    >> <> wrote in message
    >> news:...
    >> > Im not sure if this is the correct board to be posting this to, if not
    >> > please point me in the correct direction. Anyway I have a PIX 506e
    >> > Firewall and I want to deny all internet traffic to 5 internal IP
    >> > addresses 192.168.2.80-192.168.2.85 I believe I have to create an ACL
    >> > for this then an access group, but I am unsure of the syntax of the
    >> > access-list
    >> >
    >> > I think the access-list is like so:
    >> >
    >> > access-list inside_out deny ip 192.168.2.80 255.255.255.255
    >> > 216.110.76.32 255.255.255.255
    >> >
    >> > Where 216.110.76.32 is my outside interface IP address given to me by
    >> > my ISP.
    >> >
    >> > the access-group is something like this I think:
    >> >
    >> > access-group inside_out in interface inside
    >> >
    >> > Any help would be greatly appreciated
    >> >
    >> > Thanks in advance :)
    >> >
    >> > Jeremiah
    >> >

    >>
    >> access-list inside_out deny ip 192.168.20.80 255.255.255.252 any
    >> access-list inside_out deny ip 192.168.20.84 255.255.255.255 any
    >> access-list inside_out permit ip any any
    >> access-group inside_out in interface inside

    >


    Yes, that is correct, it actually reads top down. On the bottom of all ACL's
    is a deny ip any any, which is why the permit ip any any is needed or no
    traffic would flow thru the interface. You cannot see the deny ip any
    statement, in reality your ACL looks like this:
    access-list inside_out deny ip 192.168.20.80 255.255.255.252 any
    access-list inside_out deny ip 192.168.20.84 255.255.255.255 any
    access-list inside_out permit ip any any
    access-list inside_out deny ip any any
     
    Brian V, Jan 11, 2007
    #6
  7. mak Guest

    Brian V wrote:
    >
    > Yes, that is correct, it actually reads top down. On the bottom of all ACL's
    > is a deny ip any any, which is why the permit ip any any is needed or no
    > traffic would flow thru the interface.


    that doesn't apply to the inside interface though, right?
    I have many Pixen where I don't have an explizit permit from inside to outside...

    M
     
    mak, Jan 12, 2007
    #7
  8. In article <>,
    mak <> wrote:
    >Brian V wrote:


    >> Yes, that is correct, it actually reads top down. On the bottom of all ACL's
    >> is a deny ip any any, which is why the permit ip any any is needed or no
    >> traffic would flow thru the interface.


    >that doesn't apply to the inside interface though, right?
    >I have many Pixen where I don't have an explizit permit from inside to
    >outside...


    It applies to all interfaces, in all directions, in IOS and in PIX OS,
    and all other places where ACLs occur, that I have ever looked at in
    Cisco documentation: if an ACL has been configured, then there is
    *always* a default deny at the end of it.

    What that default deny -means- can be strange sometimes -- for example,
    a deny on a route-map can turn out, in context, to mean "do not reroute
    traffic, let it flow normally".

    On the other hand, if no ACL has been configured, the default behaviour
    varies with software rev and with circumstances too complex to
    state simply.

    Recall too that in PIX, the interface ACLs are ignored for VPN traffic
    if you have configured the appropriate sysopt connection permit-*
    command.
     
    Walter Roberson, Jan 12, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    715
  2. jaisol
    Replies:
    1
    Views:
    3,760
    Walter Roberson
    May 5, 2005
  3. dadilox

    Pix 506e Firewall

    dadilox, Nov 14, 2006, in forum: General Computer Support
    Replies:
    0
    Views:
    671
    dadilox
    Nov 14, 2006
  4. Replies:
    2
    Views:
    534
  5. rashid_tse

    cisco pix 506e firewall

    rashid_tse, Jun 6, 2007, in forum: Cisco
    Replies:
    0
    Views:
    399
    rashid_tse
    Jun 6, 2007
Loading...

Share This Page