Page 1 of 1 1
Topic Options
#182831 - 2007-11-20 11:55 PM Block all Internet Access
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Is there a way (without using a proxy server or similar) to block an individual workstation from accessing the Internet?

I know I can modify the HOSTS file to redirect but don't think it takes wild cards for an entry.

I still want them to be able to run IE for Intranet so blocking IE with ACL is not good solution.

Currently all systems have direct access to the Internet through a Cisco firewall.

Thanks for input.

Top
#182832 - 2007-11-21 12:12 AM Re: Block all Internet Access [Re: NTDOC]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
If you can remove the default gateway, that would stop it quick.
Top
#182834 - 2007-11-21 12:17 AM Re: Block all Internet Access [Re: Allen]
DrillSergeant Offline
MM club member
*****

Registered: 2004-07-09
Posts: 1164
Loc: Eijsden, the Netherlands
This might help:
http://www.windowsitpro.com/Articles/ArticleID/48516/48516.html?Ad=1
_________________________
The Code is out there

Top
#182836 - 2007-11-21 01:33 AM Re: Block all Internet Access [Re: DrillSergeant]
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Thanks Drill - that's an excellent idea I forgot about (even though I actually used it about 4 years ago once)

http://support.microsoft.com/kb/313190

Top
#182841 - 2007-11-21 07:41 AM Re: Block all Internet Access [Re: NTDOC]
Gargoyle Offline
MM club member
*****

Registered: 2004-03-09
Posts: 1597
Loc: Valley of the Sun (Arizona, US...
Do you have access to the firewall and or edge router? If so then it is quite easy.


On the edge you can do an outbound ACL
 Code:
Acess-list 104 deny ip x.x.x.x 255.255.255.255 any


On the firewall it would be a bit trickier as you don't want to apply an ACL to you inside interface as that would break the implicit permit established connections that are allowed on a Pix (ASA).
_________________________
Today is the tomorrow you worried about yesterday.

Top
#182842 - 2007-11-21 07:46 AM Re: Block all Internet Access [Re: Gargoyle]
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Thanks Garg - here is what I did and it works fine for what I wanted.
This blocks the actual switch level port that the workstation is plugged into so that it does not matter what IP DHCP gives him.

NOTE: DO NOT blindly apply this. This is just an example that works in my environment but may not work in yours.


 Quote:
Login to your Cisco switch and run the following to find out what port it's on.
(xxx is the ip of the machine you want to find)
(yyy is the MAC of the machine you just looked up)

NOTE: This will lock out ALL outside traffic but will allow internal traffic
Your mileage may vary and you may have or need a more sophisticated access list so
don't just blindly apply this as is.


show ip arp xxx.xxx.xxx.xxx
show mac-address-table | include yyyy.yyyy.yyyy


Then run the following command (based on 192.168.1.x network:)

configure terminal
access-list 101 permit ip host 192.168.1.125 192.168.0.0 0.0.255.255
access-list 101 deny ip any any
interface fa5/46 (this is the interface port found from doing the MAC lookup)
ip access-group 101 in
end
copy running start



Top
#182873 - 2007-11-21 04:30 PM Re: Block all Internet Access [Re: NTDOC]
Gargoyle Offline
MM club member
*****

Registered: 2004-03-09
Posts: 1597
Loc: Valley of the Sun (Arizona, US...
That is another way, I don't work on the LAN side to much anymore so tend to forget that you can do it at the local switch as well, now as long as they don't go changing their ports on you, you will be fine. \:\)
_________________________
Today is the tomorrow you worried about yesterday.

Top
Page 1 of 1 1


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 248 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.055 seconds in which 0.022 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org