Block internal IP with Cisco PIX 501

Discussion in 'Cisco' started by jawdoc, Mar 6, 2007.

  1. jawdoc

    jawdoc Guest

    Can I block a specific internal IP or range of IP from accessing the
    outside interface ie internet on a PIX 501.
    If so, I was hoping for a little help with the command line.
    Thanks in advance!
     
    jawdoc, Mar 6, 2007
    #1
    1. Advertisements

  2. You have to define an access-list that matches the IP range you want to block,
    e.g.
    access-list nointernet deny 1.2.3.0 255.255.255.0
    access-group nointernet out interface outside
    This should do the trick.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: [email protected] dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Mar 7, 2007
    #2
    1. Advertisements

  3. jawdoc

    chris Guest


    You can't apply an access list 'out' on the outside interface on a Pix 501.
    That is only supported in version 7.

    Try ..

    access-list nointernet deny ip 1.2.3.0 255.255.255.0 any
    access-list nointernet permit ip any any

    access-group nointernet in interface inside

    Or, you just set up NAT/PAT for the networks that you wish to have outbound
    access.

    Chris.
     
    chris, Mar 7, 2007
    #3
  4. jawdoc

    jawdoc Guest

    Thanks!
     
    jawdoc, Mar 7, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.