From: Adam Flinton 

Chris wrote:
> Having managed a network behind a Pix 515 and a Pix 515e, I do know what
> you are talking about.  There is an easy solution to the internet
> access, IF you want to block ALL internet access for those users.  Let
> me explain, with the following assumptions:
>
> 1) You are using private IP addressing
> 2) Your managers are using a different IP subnet than the users who
> should not have "unrestricted" access.
>
> Here is how I might try it (based on the assumptions and information I
> have):
>
> Management all uses addresses in the 192.168.1.0/24 subnet (253 possible
> addresses for use)
> The "Users" (those with restricted internet access) are on
10.0.0.0/24.
>
> Have a proxy server at 192.168.1.2.
> On the firewall, enable the filters (called Access Control Lists, or
> ACLs) to PERMIT unrestricted access on the internal port I to the
> external port E from the source address range of 192.168.1.0/24
> (255.255.255.0).
> Add ACL rules to the firewall that DENY any internet access from the IP
> range 10.0.0.0/24 (255.255.255.0).  Force their browsers to look to the
> proxy on 192.168.1.2 for internet access.  IF there is a specific site
> that you don't mind them going to and you know the IP address, you CAN
> create rules to permit that traffic as well, but a proxy server sounds
> like a better solution for a large number of users, otherwise you will
> be forever editing those ACLs.
>
> Does this help?  If you want more info, please email me at
> NOchris{at}SPk7sle.AMcom.  Take out the capital letters from the email
> address.
>
> /Chris


Or set the dhcp to give untrusted macs an address but no gateway.

Adam

--- BBBS/NT v4.01 Flag-5