|
|
|||||||
Is there a way (without using a proxy server or similar) to block an individual workstation from accessing the Internet? I know I can modify the HOSTS file to redirect but don't think it takes wild cards for an entry. I still want them to be able to run IE for Intranet so blocking IE with ACL is not good solution. Currently all systems have direct access to the Internet through a Cisco firewall. Thanks for input. |
||||||||
|
|
|||||||
If you can remove the default gateway, that would stop it quick. |
||||||||
|
|
|||||||
This might help: http://www.windowsitpro.com/Articles/ArticleID/48516/48516.html?Ad=1 |
||||||||
|
|
|||||||
Thanks Drill - that's an excellent idea I forgot about (even though I actually used it about 4 years ago once) http://support.microsoft.com/kb/313190 |
||||||||
|
|
|||||||
Do you have access to the firewall and or edge router? If so then it is quite easy. On the edge you can do an outbound ACL Code: Acess-list 104 deny ip x.x.x.x 255.255.255.255 any On the firewall it would be a bit trickier as you don't want to apply an ACL to you inside interface as that would break the implicit permit established connections that are allowed on a Pix (ASA). |
||||||||
|
|
|||||||
Thanks Garg - here is what I did and it works fine for what I wanted. This blocks the actual switch level port that the workstation is plugged into so that it does not matter what IP DHCP gives him. NOTE: DO NOT blindly apply this. This is just an example that works in my environment but may not work in yours. Quote: Login to your Cisco switch and run the following to find out what port it's on. (xxx is the ip of the machine you want to find) (yyy is the MAC of the machine you just looked up) NOTE: This will lock out ALL outside traffic but will allow internal traffic Your mileage may vary and you may have or need a more sophisticated access list so don't just blindly apply this as is. show ip arp xxx.xxx.xxx.xxx show mac-address-table | include yyyy.yyyy.yyyy Then run the following command (based on 192.168.1.x network:) configure terminal access-list 101 permit ip host 192.168.1.125 192.168.0.0 0.0.255.255 access-list 101 deny ip any any interface fa5/46 (this is the interface port found from doing the MAC lookup) ip access-group 101 in end copy running start |
||||||||
|
|
|||||||
That is another way, I don't work on the LAN side to much anymore so tend to forget that you can do it at the local switch as well, now as long as they don't go changing their ports on you, you will be fine. |