PIX- limit web browsing for a specific machine, allowing all others.

Discussion in 'Cisco' started by barret bonden, Jan 15, 2008.

  1. I want to limit web browsing for a specific machine, allowing all others.

    Am I better off doing this on the inside or outside interface ?

    How do I control the order of the commands in the access-list ? Is it just
    a matter of entry order ?



    Is this syntax correct for the inside ?

    Access-list ach-in deny tcp host 192.168.0.22 any eq 80

    Access-list ach-in permit ip any any

    Access-list ach-in in interface inside
    barret bonden, Jan 15, 2008
    #1
    1. Advertising

  2. In article <478cb48b$0$9134$>,
    barret bonden <> wrote:
    >I want to limit web browsing for a specific machine, allowing all others.


    >Am I better off doing this on the inside or outside interface ?


    Inside, for sure.


    > How do I control the order of the commands in the access-list ? Is it just
    >a matter of entry order ?


    Yes. Though if you have a late enough version of PIX OS, you can
    use "line" modifiers to insert before specific lines or delete
    specific lines.


    >Is this syntax correct for the inside ?


    >Access-list ach-in deny tcp host 192.168.0.22 any eq 80


    >Access-list ach-in permit ip any any


    >Access-list ach-in in interface inside


    I do not recall at the moment whether "access-list" is case-sensitive.
    The syntax for the rest looks fine. As a practical matter, though,
    you may also wish to block common proxy ports as well as port 80.
    You might find that easier to manage if you use a port-object
    to create the list of ports and then use

    access-list ach-in deny tcp host 192.168.0.22 any object-group blocked_ports
    Walter Roberson, Jan 15, 2008
    #2
    1. Advertising

  3. barret bonden

    mcaissie Guest

    "Walter Roberson" <> wrote in message
    news:K48jj.73269$EA5.16439@pd7urf2no...
    > In article <478cb48b$0$9134$>,
    > barret bonden <> wrote:
    >>I want to limit web browsing for a specific machine, allowing all others.

    >
    >>Am I better off doing this on the inside or outside interface ?

    >
    > Inside, for sure.
    >
    >
    >> How do I control the order of the commands in the access-list ? Is it
    >> just
    >>a matter of entry order ?

    >
    > Yes. Though if you have a late enough version of PIX OS, you can
    > use "line" modifiers to insert before specific lines or delete
    > specific lines.
    >
    >
    >>Is this syntax correct for the inside ?

    >
    >>Access-list ach-in deny tcp host 192.168.0.22 any eq 80

    >
    >>Access-list ach-in permit ip any any



    >
    >>Access-list ach-in in interface inside


    To apply the list on the interface you would need the access-group command

    access-group ach-in in interface inside







    >
    > I do not recall at the moment whether "access-list" is case-sensitive.
    > The syntax for the rest looks fine. As a practical matter, though,
    > you may also wish to block common proxy ports as well as port 80.
    > You might find that easier to manage if you use a port-object
    > to create the list of ports and then use
    >
    > access-list ach-in deny tcp host 192.168.0.22 any object-group
    > blocked_ports
    >
    mcaissie, Jan 15, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mimiseh
    Replies:
    3
    Views:
    876
  2. Albie
    Replies:
    1
    Views:
    474
    Walter Roberson
    Nov 15, 2005
  3. Replies:
    2
    Views:
    443
  4. Replies:
    0
    Views:
    375
  5. Giuen
    Replies:
    0
    Views:
    838
    Giuen
    Sep 12, 2008
Loading...

Share This Page