access list doesn't look like it is working

Unanswered Question
Jul 20th, 2007

I am trying to block AOL internet radio. with a sniffer tool, it shows that the outside ip's are still being accessed. Also, when i do a show access-list it does not show anything on the hitcounts.

access list

access-list dmz-2_in; 7 elements

access-list dmz-2_in permit ip host 10.10.220.21 host 172.16.8.103 (hitcnt=32970

)

access-list dmz-2_in permit tcp host 10.10.220.22 host 172.16.8.104 eq smtp (hit

cnt=13257)

access-list dmz-2_in deny ip any 192.168.1.0 255.255.255.0 (hitcnt=1854)

access-list dmz-2_in permit ip any any (hitcnt=1137348)

access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2844 (hitcnt=0)

access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2845 (hitcnt=0)

access-list dmz-2_in deny ip any 172.16.8.0 255.255.248.0 (hitcnt=0)

access-list labdmz-in; 1 elements

access-list labdmz-in permit ip any 192.168.100.0 255.255.255.0 (hitcnt=0)

access-list in; 1 elements

access-list in permit ip any any (hitcnt=0)

access-list inside; 4 elements

access-list inside deny ip any host 211.234.104.232 (hitcnt=0)

access-list inside permit ip any any (hitcnt=2696140)

access-list inside deny ip any host 219.150.167.162 (hitcnt=0)

access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)

access-list barracuda; 4 elements

access-list barracuda permit tcp any eq smtp any (hitcnt=0)

access-list barracuda permit icmp any any (hitcnt=3760)

access-list barracuda permit ip host 192.168.1.15 any (hitcnt=532201)

access-list barracuda deny ip any any (hitcnt=0)

access-list inside1; 4 elements

access-list inside1 deny ip any host 211.234.104.232 (hitcnt=0)

access-list inside1 deny ip any host 219.150.167.162 (hitcnt=0)

access-list inside1 deny ip any 64.236.98.0 255.255.255.0 (hitcnt=8)

access-list inside1 permit ip any any (hitcnt=46235)

FireWall#

I am trying to block the following internal user from accessing aol radio public ip's 64.236.98.1 255.255.255.0

If anyone has any other suggestions, please let me know

THank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 07/20/2007 - 09:42

Hi

Which access-list is applied to your inside interface

inside

or

inside1.

If it is inside it won't work as you have a "permit ip any any" before your deny. You need to use inside1.

HTH

Jon

planetnoc Fri, 07/20/2007 - 09:57

shirwaziri1,

If you look at you access list I believe that you are using access-list inside. Now look at the statements:

access-list inside deny ip any host 211.234.104.232 (hitcnt=0)

access-list inside permit ip any any (hitcnt=2696140)

access-list inside deny ip any host 219.150.167.162 (hitcnt=0)

access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)

Cisco access list goes in order.First you deny 211.234.104.232 and then you permit all IP trafic.(look at the count) That is why you are not blocking the the 64.236.98.0/24.

If you recreate the access-list with permit IP any any on end, it will work.

Good luck.

sundar.palaniappan Fri, 07/20/2007 - 12:16

Yes access list order is the problem here. Move the 'permit ip any any' entry to the last as below.

access-list inside deny ip any host 211.234.104.232

access-list inside deny ip any host 219.150.167.162

access-list inside deny ip any 64.236.98.0 255.255.255.0

access-list inside permit ip any any

HTH

Sundar

shirwaziri1_2 Fri, 07/20/2007 - 12:22

i apologize, the access - group is for inside1. The access list is working. But, if i want to add any future access-lists, how do i apply it so it will be infront of "access-list inside1 permit ip any any"

access-list line 26 ......... (does not work)

planetnoc Fri, 07/20/2007 - 13:30

Access-list can be only taken as a hole thing out.So if you issue :

no access-list inside 1 it will remove the hole access-list.

The simple solution is to copy the old one in clipboard and rearrange it and then put it back in:

access-list inside1 deny host 192.168.0.x host 192.168.10.x

access-list inside1 deny 192.169.0.x 255.255.255.0

access-list inside1 permit any any

no access-list inside1

and past in the good one:

access-list inside1 deny host 192.168.0.x host 192.168.10.x

access-list inside1 deny 192.169.0.x 255.255.255.0

access-list inside1 deny 210.20.2.2 255.255.255.0

access-list inside1 permit any any

l.jankok Sat, 07/21/2007 - 03:11

Line 2 of access-list inside masks all other lines. You need to put what you now have on line 2 after you have issued all your deny statements.

Actions

This Discussion