access list doesn't look like it is working

Unanswered Question
Jul 20th, 2007
User Badges:

I am trying to block AOL internet radio. with a sniffer tool, it shows that the outside ip's are still being accessed. Also, when i do a show access-list it does not show anything on the hitcounts.


access list


access-list dmz-2_in; 7 elements

access-list dmz-2_in permit ip host 10.10.220.21 host 172.16.8.103 (hitcnt=32970

)

access-list dmz-2_in permit tcp host 10.10.220.22 host 172.16.8.104 eq smtp (hit

cnt=13257)

access-list dmz-2_in deny ip any 192.168.1.0 255.255.255.0 (hitcnt=1854)

access-list dmz-2_in permit ip any any (hitcnt=1137348)

access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2844 (hitcnt=0)

access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2845 (hitcnt=0)

access-list dmz-2_in deny ip any 172.16.8.0 255.255.248.0 (hitcnt=0)

access-list labdmz-in; 1 elements

access-list labdmz-in permit ip any 192.168.100.0 255.255.255.0 (hitcnt=0)

access-list in; 1 elements

access-list in permit ip any any (hitcnt=0)

access-list inside; 4 elements

access-list inside deny ip any host 211.234.104.232 (hitcnt=0)

access-list inside permit ip any any (hitcnt=2696140)

access-list inside deny ip any host 219.150.167.162 (hitcnt=0)

access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)

access-list barracuda; 4 elements

access-list barracuda permit tcp any eq smtp any (hitcnt=0)

access-list barracuda permit icmp any any (hitcnt=3760)

access-list barracuda permit ip host 192.168.1.15 any (hitcnt=532201)

access-list barracuda deny ip any any (hitcnt=0)

access-list inside1; 4 elements

access-list inside1 deny ip any host 211.234.104.232 (hitcnt=0)

access-list inside1 deny ip any host 219.150.167.162 (hitcnt=0)

access-list inside1 deny ip any 64.236.98.0 255.255.255.0 (hitcnt=8)

access-list inside1 permit ip any any (hitcnt=46235)

FireWall#



I am trying to block the following internal user from accessing aol radio public ip's 64.236.98.1 255.255.255.0



If anyone has any other suggestions, please let me know


THank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
froggy3132000 Fri, 07/20/2007 - 09:38
User Badges:
  • Bronze, 100 points or more

Please post output of


'sh run access-group'

Jon Marshall Fri, 07/20/2007 - 09:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Which access-list is applied to your inside interface


inside


or


inside1.


If it is inside it won't work as you have a "permit ip any any" before your deny. You need to use inside1.


HTH


Jon

planetnoc Fri, 07/20/2007 - 09:57
User Badges:

shirwaziri1,


If you look at you access list I believe that you are using access-list inside. Now look at the statements:

access-list inside deny ip any host 211.234.104.232 (hitcnt=0)

access-list inside permit ip any any (hitcnt=2696140)

access-list inside deny ip any host 219.150.167.162 (hitcnt=0)

access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)

Cisco access list goes in order.First you deny 211.234.104.232 and then you permit all IP trafic.(look at the count) That is why you are not blocking the the 64.236.98.0/24.

If you recreate the access-list with permit IP any any on end, it will work.

Good luck.

sundar.palaniappan Fri, 07/20/2007 - 12:16
User Badges:
  • Green, 3000 points or more

Yes access list order is the problem here. Move the 'permit ip any any' entry to the last as below.


access-list inside deny ip any host 211.234.104.232

access-list inside deny ip any host 219.150.167.162

access-list inside deny ip any 64.236.98.0 255.255.255.0

access-list inside permit ip any any


HTH


Sundar

shirwaziri1_2 Fri, 07/20/2007 - 12:22
User Badges:

i apologize, the access - group is for inside1. The access list is working. But, if i want to add any future access-lists, how do i apply it so it will be infront of "access-list inside1 permit ip any any"


access-list line 26 ......... (does not work)

planetnoc Fri, 07/20/2007 - 13:30
User Badges:

Access-list can be only taken as a hole thing out.So if you issue :

no access-list inside 1 it will remove the hole access-list.

The simple solution is to copy the old one in clipboard and rearrange it and then put it back in:


access-list inside1 deny host 192.168.0.x host 192.168.10.x

access-list inside1 deny 192.169.0.x 255.255.255.0

access-list inside1 permit any any


no access-list inside1


and past in the good one:


access-list inside1 deny host 192.168.0.x host 192.168.10.x

access-list inside1 deny 192.169.0.x 255.255.255.0

access-list inside1 deny 210.20.2.2 255.255.255.0

access-list inside1 permit any any



l.jankok Sat, 07/21/2007 - 03:11
User Badges:

Line 2 of access-list inside masks all other lines. You need to put what you now have on line 2 after you have issued all your deny statements.


Actions

This Discussion