We have someone at a remote facility who keeps attaching his Mac to the network and it spews out several gigs of data some mornings to Mac.com.
I wanted to review if what I was doing would more or less work, though it may not be very elegant.
Basically I assign him a static DHCP lease and then I do the following:
On our ASA5520 that firewalls all internet traffic I made the following entry:
access-list inside_acl extended deny ip host 192.168.133.44 any
Also, for kicks I did the following on their MPLS router's fast ethernet interface that connects to the switch:
ip access-list extended blockmac
deny ip host 192.168.133.44 any
permit ip any any
ip access-group blockmac out
I don't see any hits when I do a "show access-list" for that ACL though so it makes me wonder.
Thank you for any help.
I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!
HTH and please rate.