ACL help: Reducing an IPs access to nothing

Answered Question
Jan 3rd, 2008
User Badges:

We have someone at a remote facility who keeps attaching his Mac to the network and it spews out several gigs of data some mornings to Mac.com.


I wanted to review if what I was doing would more or less work, though it may not be very elegant.


Basically I assign him a static DHCP lease and then I do the following:


On our ASA5520 that firewalls all internet traffic I made the following entry:


access-list inside_acl extended deny ip host 192.168.133.44 any



Also, for kicks I did the following on their MPLS router's fast ethernet interface that connects to the switch:


ip access-list extended blockmac

deny ip host 192.168.133.44 any

permit ip any any


interface FastEthernet0/0

ip access-group blockmac out

I don't see any hits when I do a "show access-list" for that ACL though so it makes me wonder.


Thank you for any help.



Correct Answer by Collin Clark about 9 years 3 months ago

I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!


HTH and please rate.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Collin Clark Fri, 01/04/2008 - 06:27
User Badges:
  • Purple, 4500 points or more

I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!


HTH and please rate.

Actions

This Discussion