Pix Traffic control 1

[br0ck]

Hello,
I have been posed with a new challenge. I have a customer that we are installing a PIX 501-50U and building a VPN to a Central Office(CO). Here is the fun part. I need to allow everyone access to the vpn for a Web/Java based app hosted in the CO and only allow 3 inside hosts access to the public internet. I have no servers to use AAA.

Any advice

Thanks In Advance

 

[horus42]

I can see two easy options

Option one: create multiple VLANs and since the 501 only has one fixed inside IP you will need to create logical one (I'm not sure if you can do this with the 501), then create access rules appropriate for each vlan.

Option two: don't allow any internet access at your branch office, allow everyone to connect to the Central Office(CO) and then if you have proxy office control authentication and internet access from there.

Hope that helps

 

[Supergrrover]

You should be able to accomplish this with ACLs and some subnet trickery.

People you want to allow everything out
192.168.2.0 255.255.255.248 (Host IPs 192.168.2.1-6, 2.7 is broadcast.)
Whole Network
192.168.2.0 255.255.255.0 (Host IPs 192.168.2.8-254, with 255 as braodcast)

access-list outbound permit ip 192.168.2.0 255.255.255.248 any
access-list outbound permit ip 192.168.2.0 255.255.255.0 [IP and Mask of remote network]
access-list outbound deny ip any any

access-group outbound in insterface inside

This should allow 192.168.2.1-6 access to everything and restrict 192.168.2.8-254 to the CO only. Obviously no DHCP by the pix here as you can't make it hand out IP's based on MAC addresses.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[br0ck]

Thats what i was looking for,

I wasnt sure on the required ACL's thats why i asked



thanks SuperGrrover