Solved: ACL help: Reducing an IPs access to nothing

jimgrumbles · ‎01-03-2008

We have someone at a remote facility who keeps attaching his Mac to the network and it spews out several gigs of data some mornings to Mac.com.

I wanted to review if what I was doing would more or less work, though it may not be very elegant.

Basically I assign him a static DHCP lease and then I do the following:

On our ASA5520 that firewalls all internet traffic I made the following entry:

access-list inside_acl extended deny ip host 192.168.133.44 any

Also, for kicks I did the following on their MPLS router's fast ethernet interface that connects to the switch:

ip access-list extended blockmac

deny ip host 192.168.133.44 any

permit ip any any

interface FastEthernet0/0

ip access-group blockmac out

I don't see any hits when I do a "show access-list" for that ACL though so it makes me wonder.

Thank you for any help.

Collin Clark · ‎01-04-2008

I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!

HTH and please rate.

View solution in original post

Collin Clark · ‎01-04-2008

I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!

HTH and please rate.