NTDOC
|
| (KiX Master) |
| 2007-11-20 11:55 PM |
|
Block all Internet Access
|
Is there a way (without using a proxy server or similar) to block an individual workstation from accessing the Internet?
I know I can modify the HOSTS file to redirect but don't think it takes wild cards for an entry.
I still want them to be able to run IE for Intranet so blocking IE with ACL is not good solution.
Currently all systems have direct access to the Internet through a Cisco firewall.
Thanks for input.
|
Allen
|
| (KiX Supporter) |
| 2007-11-21 12:12 AM |
|
Re: Block all Internet Access
|
If you can remove the default gateway, that would stop it quick.
| DrillSergeant |
| (MM club member) |
| 2007-11-21 12:17 AM |
|
|
Re: Block all Internet Access
|
This might help:
http://www.windowsitpro.com/Articles/ArticleID/48516/48516.html?Ad=1
|
NTDOC
|
| (KiX Master) |
| 2007-11-21 01:33 AM |
|
|
|
Re: Block all Internet Access
|
Thanks Drill - that's an excellent idea I forgot about (even though I actually used it about 4 years ago once)
http://support.microsoft.com/kb/313190
| Gargoyle |
| (MM club member) |
| 2007-11-21 07:41 AM |
|
|
Re: Block all Internet Access
|
Do you have access to the firewall and or edge router? If so then it is quite easy.
On the edge you can do an outbound ACL
Code:
Acess-list 104 deny ip x.x.x.x 255.255.255.255 any
On the firewall it would be a bit trickier as you don't want to apply an ACL to you inside interface as that would break the implicit permit established connections that are allowed on a Pix (ASA).
|
NTDOC
|
| (KiX Master) |
| 2007-11-21 07:46 AM |
|
|
|
Re: Block all Internet Access
|
Thanks Garg - here is what I did and it works fine for what I wanted.
This blocks the actual switch level port that the workstation is plugged into so that it does not matter what IP DHCP gives him.
NOTE: DO NOT blindly apply this. This is just an example that works in my environment but may not work in yours.
Quote:
Login to your Cisco switch and run the following to find out what port it's on.
(xxx is the ip of the machine you want to find)
(yyy is the MAC of the machine you just looked up)
NOTE: This will lock out ALL outside traffic but will allow internal traffic
Your mileage may vary and you may have or need a more sophisticated access list so
don't just blindly apply this as is.
show ip arp xxx.xxx.xxx.xxx
show mac-address-table | include yyyy.yyyy.yyyy
Then run the following command (based on 192.168.1.x network:)
configure terminal
access-list 101 permit ip host 192.168.1.125 192.168.0.0 0.0.255.255
access-list 101 deny ip any any
interface fa5/46 (this is the interface port found from doing the MAC lookup)
ip access-group 101 in
end
copy running start
(xxx is the ip of the machine you want to find)
(yyy is the MAC of the machine you just looked up)
NOTE: This will lock out ALL outside traffic but will allow internal traffic
Your mileage may vary and you may have or need a more sophisticated access list so
don't just blindly apply this as is.
show ip arp xxx.xxx.xxx.xxx
show mac-address-table | include yyyy.yyyy.yyyy
Then run the following command (based on 192.168.1.x network:)
configure terminal
access-list 101 permit ip host 192.168.1.125 192.168.0.0 0.0.255.255
access-list 101 deny ip any any
interface fa5/46 (this is the interface port found from doing the MAC lookup)
ip access-group 101 in
end
copy running start
| Gargoyle |
| (MM club member) |
| 2007-11-21 04:30 PM |
|
|
|
Re: Block all Internet Access
|
That is another way, I don't work on the LAN side to much anymore so tend to forget that you can do it at the local switch as well, now as long as they don't go changing their ports on you, you will be fine.
