I work for a county government. As part of building a new courthouse, I am
tasked with providing attorneys in courtrooms with Internet access through
my network. Of course, I would like to provide them access to what they
need while blocking access to our internal network.
My network is setup in
Not sure I understand how you are running your network, but if you deny the
lawyers VLAN from accessing the other VLAN's in your network, you should be
all set. That way you only have one deny statement to add to each VLAN. I
think what's throwing me is the 300 line access-list statement.
First, the 300 line access-list was a bit of an exageration, more to make
the point that I don't want an ungodly long access-list.
Well, basically every floor in each building has its own /24 subnet.
Unfortunately the real problem is that to get to the Internet, traffic must
traverse VLAN 1, which
I guess policy routing is what I'd recommend, or put a firewall in front of
the servers and set up the appropriate controls. Policy routing is what
that type of application was inteded for, so you are along the right track,
although it's far from secure. If security isn't an issue, then check
Robert,
Have the VLAN for these users route to a DMZ interface on your PIX
rather than the layer 3 switch. Set the security level of that
interface to 1 (just higher than the outside).
If you don't specify an ACL on that PIX interface, you should be able to
use PIX security levels to
This seems like an application for wireless. Wireless might be more
convenient for the lawyers. Of course, it would have its own issues.
It would depend on your building, but perhaps you could connect the wireless
access point to a VLAN other than the VLAN that your servers are on, or
possibly to
6 matches
Mail list logo