Pix 515e Internet Access Groups

[DennisTheMenace]

Can anyone point me to a config doc that will help me set up internet access groups on my PIX? I have 3 types of groups in mind:
1) No Access to the Internet
2) Access to a list of a dozen sites only
3) Full access to the Internet

Will this be done by IP, MAC, or can it be tied to the W2k3 user authentication? Any help to get me started would be greatly appreciated!
THANKS!
-Dennis

=====================
Remember - YOU ARE UNIQUE!!!... Just like EVERYONE ELSE! ;o)

 

[Supergrrover]

Try this -

Create 4 object groups - one of each of the 3 sets for access restrictions and one for the IPs that are allowed for group #2

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1038172

Now you will need to create an ACL applied to the inside interface to make these restrictions

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

access-list inside-out permit ip object-group GROUP#1 any
access-list inside-out permit ip object-group GROUP#2 object-group ALLOWED-WEBSITES
access-list inside-out deny ip any any

access-group inside-out in interface inside



This is a quick and dirty answer - I have not really looked into using RADIUS to authenticate the traffic but I think it could be possible.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[DennisTheMenace]

Thanks Brent! I'll give that a try and post back!

-Dennis

=====================
Remember - YOU ARE UNIQUE!!!... Just like EVERYONE ELSE! ;o)