Public Internet Access [7:55898]

2002-10-18 Thread Robert Edmonds
I work for a county government. As part of building a new courthouse, I am tasked with providing attorneys in courtrooms with Internet access through my network. Of course, I would like to provide them access to what they need while blocking access to our internal network. My network is setup in

Re: Public Internet Access [7:55898]

2002-10-18 Thread Steven A. Ridder
Not sure I understand how you are running your network, but if you deny the lawyers VLAN from accessing the other VLAN's in your network, you should be all set. That way you only have one deny statement to add to each VLAN. I think what's throwing me is the 300 line access-list statement.

Re: Public Internet Access [7:55898]

2002-10-18 Thread Robert Edmonds
First, the 300 line access-list was a bit of an exageration, more to make the point that I don't want an ungodly long access-list. Well, basically every floor in each building has its own /24 subnet. Unfortunately the real problem is that to get to the Internet, traffic must traverse VLAN 1, which

Re: Public Internet Access [7:55898]

2002-10-18 Thread Steven A. Ridder
I guess policy routing is what I'd recommend, or put a firewall in front of the servers and set up the appropriate controls. Policy routing is what that type of application was inteded for, so you are along the right track, although it's far from secure. If security isn't an issue, then check

Re: Public Internet Access [7:55898]

2002-10-18 Thread Shawn Heisey
Robert, Have the VLAN for these users route to a DMZ interface on your PIX rather than the layer 3 switch. Set the security level of that interface to 1 (just higher than the outside). If you don't specify an ACL on that PIX interface, you should be able to use PIX security levels to

Re: Public Internet Access [7:55898]

2002-10-18 Thread Priscilla Oppenheimer
This seems like an application for wireless. Wireless might be more convenient for the lawyers. Of course, it would have its own issues. It would depend on your building, but perhaps you could connect the wireless access point to a VLAN other than the VLAN that your servers are on, or possibly to