How can I prevent certain internal PCs from getting to Internet? 2

[skhoury]

Hello all,

We have a set of servers that are sitting behind our PIX515 v.6.3.

We've got a series of static maps and the rest of the servers use NAT.

My question is this: How can I limit what servers can actually access the NAT pool (i.e. what servers are allowed to go to the internet).


Thanks guys!

Sam

 

[KiscoKid]

Hello there.

You can control which inside servers can be serviced by your NAT pool by either explicity permitting the inside hosts you want to be able to use the pool or, conversely, denying the hosts you don't want to have access to the pool:

nat (inside) 1 access-list 1
access-list 1 permit ip 10.0.0.1 255.255.255.255
access-list 1 permit ip 10.0.0.2 255.255.255.255
access-list 1 permit ip 10.0.0.3 255.255.255.255
etc

This will explicitly allow hosts 10.0.0.1 through to 10.0.0.3 to get translated. Anything else not in the list gets implicity denied a NAT translation.

However if the list of servers to deny is smaller than is to be allowed, you can turn this on its head and change the ACL 1 as follows:

nat (inside) 1 access-list 1
access-list 1 deny ip 10.0.0.100 255.255.255.255
access-list 1 deny ip 10.0.0.101 255.255.255.255
access-list 1 deny ip 10.0.0.102 255.255.255.255
access-list 1 permit any

This will explicitly deny hosts 10.0.0.100 through to 10.0.0.102 from getting translated. Anything else not in the list gets implicity permitted a NAT translation.

 

[skhoury]

That is exactly what I was looking for!

Thanks KiscoKid!

Sam

 

[skhoury]

I just relieazed that you can't place deny statements into an NAT Policy statement!

However your other suggestion will work just fine...excluding the "permit any" part.

Thanks!

Sam

 

[speedingwolf]

On my network, certain servers don't have default gateway. No access to internet.