PIX- limit web browsing for a specific machine, allowing all others.

Discussion in 'Cisco' started by barret bonden, Jan 15, 2008.

  1. I want to limit web browsing for a specific machine, allowing all others.

    Am I better off doing this on the inside or outside interface ?

    How do I control the order of the commands in the access-list ? Is it just
    a matter of entry order ?



    Is this syntax correct for the inside ?

    Access-list ach-in deny tcp host 192.168.0.22 any eq 80

    Access-list ach-in permit ip any any

    Access-list ach-in in interface inside
     
    barret bonden, Jan 15, 2008
    #1
    1. Advertisements

  2. Inside, for sure.

    Yes. Though if you have a late enough version of PIX OS, you can
    use "line" modifiers to insert before specific lines or delete
    specific lines.

    I do not recall at the moment whether "access-list" is case-sensitive.
    The syntax for the rest looks fine. As a practical matter, though,
    you may also wish to block common proxy ports as well as port 80.
    You might find that easier to manage if you use a port-object
    to create the list of ports and then use

    access-list ach-in deny tcp host 192.168.0.22 any object-group blocked_ports
     
    Walter Roberson, Jan 15, 2008
    #2
    1. Advertisements

  3. barret bonden

    mcaissie Guest

    To apply the list on the interface you would need the access-group command

    access-group ach-in in interface inside
     
    mcaissie, Jan 15, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.