07-17-2008 07:40 PM - edited 03-11-2019 06:16 AM
Here's an easy one for all you veterans. I'm new to firewalling and had an outbound access-list problem. If I wanted to block one of my workstations on the inside with ip 192.168.x.x address from reaching a specific external host (like a website) what would my syntax look like?
So far I have tried this:
access-list acl_out extended deny tcp host 192.168.x.x host x.x.x.x interface outside eq www
access-group acl_out out interface outside
I do these commands but then it just blocks everything on the inside from reaching the net. Can you help?
07-17-2008 07:50 PM
remove the above ACLs
do it as follow
access-list 100 deny tcp host 192.168.x.x host x.x.x.x eq www
access-list 100 permit ip any any
access-group 100 in interface inside
this is based on ip address
and if you want to block it for spesific website by name not ip u have to use class-map,policy map awith regex a bit more complex
but for the ip based blocking do as i told u
and u got denied because there is implicit deny after each acl so u need to put the permit any any at the end
dont forget always when u block make the blocking as close to the source as posible so that apply the ACL on the inside interface in the inbound direction
good luck
Rate if helpful
07-17-2008 08:40 PM
Hi,
Try this :-
access-list acl_out deny tcp host 192.168.x.x host x.x.x.x eq www
access-group acl_out in interface inside
** Also make sure that this ACL is above the other ACL statements which are allowing the entire subnet to go to Outside.
07-18-2008 07:46 AM
did u get it work ?
07-18-2008 08:36 AM
I have not been able to try it out yet, I will perform the change after business hours tonight and try to respond afterwards. Thank you all for your suggestions!
07-20-2008 11:52 AM
Well it would appear that your thoughtful comments have paid off. I understand what was wrong. The acl you provided worked great and everything is up and running. Thanks again!
07-20-2008 03:51 PM
i am glad its working :)
please, rate the helpful post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide