07-20-2007 09:29 AM - edited 03-11-2019 03:47 AM
I am trying to block AOL internet radio. with a sniffer tool, it shows that the outside ip's are still being accessed. Also, when i do a show access-list it does not show anything on the hitcounts.
access list
access-list dmz-2_in; 7 elements
access-list dmz-2_in permit ip host 10.10.220.21 host 172.16.8.103 (hitcnt=32970
)
access-list dmz-2_in permit tcp host 10.10.220.22 host 172.16.8.104 eq smtp (hit
cnt=13257)
access-list dmz-2_in deny ip any 192.168.1.0 255.255.255.0 (hitcnt=1854)
access-list dmz-2_in permit ip any any (hitcnt=1137348)
access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2844 (hitcnt=0)
access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2845 (hitcnt=0)
access-list dmz-2_in deny ip any 172.16.8.0 255.255.248.0 (hitcnt=0)
access-list labdmz-in; 1 elements
access-list labdmz-in permit ip any 192.168.100.0 255.255.255.0 (hitcnt=0)
access-list in; 1 elements
access-list in permit ip any any (hitcnt=0)
access-list inside; 4 elements
access-list inside deny ip any host 211.234.104.232 (hitcnt=0)
access-list inside permit ip any any (hitcnt=2696140)
access-list inside deny ip any host 219.150.167.162 (hitcnt=0)
access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)
access-list barracuda; 4 elements
access-list barracuda permit tcp any eq smtp any (hitcnt=0)
access-list barracuda permit icmp any any (hitcnt=3760)
access-list barracuda permit ip host 192.168.1.15 any (hitcnt=532201)
access-list barracuda deny ip any any (hitcnt=0)
access-list inside1; 4 elements
access-list inside1 deny ip any host 211.234.104.232 (hitcnt=0)
access-list inside1 deny ip any host 219.150.167.162 (hitcnt=0)
access-list inside1 deny ip any 64.236.98.0 255.255.255.0 (hitcnt=8)
access-list inside1 permit ip any any (hitcnt=46235)
FireWall#
I am trying to block the following internal user from accessing aol radio public ip's 64.236.98.1 255.255.255.0
If anyone has any other suggestions, please let me know
THank you
07-20-2007 09:38 AM
Please post output of
'sh run access-group'
07-20-2007 09:42 AM
Hi
Which access-list is applied to your inside interface
inside
or
inside1.
If it is inside it won't work as you have a "permit ip any any" before your deny. You need to use inside1.
HTH
Jon
07-20-2007 09:57 AM
shirwaziri1,
If you look at you access list I believe that you are using access-list inside. Now look at the statements:
access-list inside deny ip any host 211.234.104.232 (hitcnt=0)
access-list inside permit ip any any (hitcnt=2696140)
access-list inside deny ip any host 219.150.167.162 (hitcnt=0)
access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)
Cisco access list goes in order.First you deny 211.234.104.232 and then you permit all IP trafic.(look at the count) That is why you are not blocking the the 64.236.98.0/24.
If you recreate the access-list with permit IP any any on end, it will work.
Good luck.
07-20-2007 12:16 PM
Yes access list order is the problem here. Move the 'permit ip any any' entry to the last as below.
access-list inside deny ip any host 211.234.104.232
access-list inside deny ip any host 219.150.167.162
access-list inside deny ip any 64.236.98.0 255.255.255.0
access-list inside permit ip any any
HTH
Sundar
07-20-2007 12:22 PM
i apologize, the access - group is for inside1. The access list is working. But, if i want to add any future access-lists, how do i apply it so it will be infront of "access-list inside1 permit ip any any"
access-list line 26 ......... (does not work)
07-20-2007 01:30 PM
Access-list can be only taken as a hole thing out.So if you issue :
no access-list inside 1 it will remove the hole access-list.
The simple solution is to copy the old one in clipboard and rearrange it and then put it back in:
access-list inside1 deny host 192.168.0.x host 192.168.10.x
access-list inside1 deny 192.169.0.x 255.255.255.0
access-list inside1 permit any any
no access-list inside1
and past in the good one:
access-list inside1 deny host 192.168.0.x host 192.168.10.x
access-list inside1 deny 192.169.0.x 255.255.255.0
access-list inside1 deny 210.20.2.2 255.255.255.0
access-list inside1 permit any any
07-21-2007 03:11 AM
Line 2 of access-list inside masks all other lines. You need to put what you now have on line 2 after you have issued all your deny statements.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: