Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

controlling web access using access lists

Status
Not open for further replies.
revahi

revahi

Vendor
Dec 11, 2002
2
GB
Hello this is my first post. I've read through all the posts which may relate to my problem but nothing I could see that I tried worked.
I want to restrict all workstations web internet access based on their ip address with the exception of 3 workstations.
For reference I'll use the following as the addresses in this config.
1) ISP assigned ip 199.199.64.26
2) Internal address range 192.168.1.0-254
3) exceptions 192.168.1.10,11 and 13
4) router address 192.168.0.254
5) PIX 515E inside address 192.168.1.1
6) PIX outside interface address 192.168.0.1
PIX configured with NAT etc. successfully so far no problems.

web block on subnet 192.168.1-254 with the exception of 192.168.1.10,11 and 13


I tried the following:
access-list browser_control permit tcp host 192.168.1.10 any
<repeat this line for 192.168.11 and 13>
access-list browser_control deny tcp any host 199.199.64.26
access-group browser_control in interface inside

This retricts ALL addresses including those in the permit statement from browsing the web.
I tried swapping around the permit and deny statement so first the deny any then the permit on those explicit addresses, I tried using the internet router address 192.168.0.254 instead of the ISP assigned public address but it either permits all addresses or denies all addresses.
Is it possible to configure this firewall so that I can selectively allow access to a given number of workstations based on their ip addresses?

Thanks very much in advance for your help.
revahi
 
Sort by date Sort by votes
You probably forgot to enable dns lookup before all this. permit udp port 53 for those machines that need inet access.

Jan

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :
 
Upvote 0 Downvote
Mange tak for din hjaelp!

I solved it in the end because of 2 things:
There is always an implicit deny statement in every acl it just doesn't show, wish I knew about this before :-0
I "widened" the scope of the acl by using ip instead of protocol and port number so the acl looks like this

access-list browser_control permit ip host 192.168.1.1 any
access-group browser_control in inteface inside.

Now only workstation ..1.1 can access the outside.

I also found out that you can only have 1 acl in each interface which is normally on the inbound connection
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
983
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
212
gbayi_omo
gbayi_omo
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
241
ISDPCMAN
ISDPCMAN
markd885
  • Locked
  • Question
PAC file redirect web page to another gateway
Replies
0
Views
202
markd885
markd885
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
207
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top