trying to block a range of IP's from using the web
- From: "Barrett Bonden" <arthur@xxxxxxxxxxxxxxx>
- Date: Thu, 26 Jan 2006 18:35:54 -0500
need syntax to block a range of IP address using the web in any way ( they
just need to reach an internal server) , so I want to stop them from
getting out or anything from the web reaching them. These machines are in
the range of 192.168.0.10 to 0.254
I have(but it's been months since I did PIX/cicso , and boy am I rusty) an
access list now with commands like
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
10
access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
Can I just add to it to block anything coming in to a subnet ? I suppose I
can do this:
access-list outside_access_in deny ip deny any 1982.168.0.0 0.0.0.255 (can
I ?)
But of course that would block the owner , on 0.4 - so is there syntax for
a range of IP's ? ?
Or should I create a new access group for anything leaving the inside
interface ?
Something like
access-group inside_access_out in interface inside
access-list inside_access_out deny any 192.168.0.2 255.255.255.0
(the inside interface : ip address inside 192.168.0.2 255.255.255.0)
But again, this would stop any machine on the inside from getting to the
inside interface on the PIX ( at least I think that's what I'm saying.)
Any help offered on syntax or concepts much appreciated .
.
- Follow-Ups:
- Re: trying to block a range of IP's from using the web
- From: Walter Roberson
- Re: trying to block a range of IP's from using the web
- Prev by Date: Cisco 837, 828 GRE tunnel
- Next by Date: Re: Comparison to Cisco 4507R to Extreme 8810
- Previous by thread: Cisco 837, 828 GRE tunnel
- Next by thread: Re: trying to block a range of IP's from using the web
- Index(es):
Relevant Pages
|
