ACL Help

Unanswered Question
Nov 14th, 2008
User Badges:

I have a request from a IT manager and I'm trying to determine if I can accomplish this with an ACL. Essentially, he has a static block of IPs (10-20) on a shop floor where he does NOT want them to have Internet access, but still requires WAN access for internal Outlook and Intranet access. I've been playing around with 1-2 variations but I dont seem to be having success. Any suggestions?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rais Fri, 11/14/2008 - 12:04
User Badges:
  • Silver, 250 points or more

Your can permit the static block for WAN/Intranet IPs and deny any.


Giuseppe Larosa Fri, 11/14/2008 - 12:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dan,

the ACL should use a logic

permit block-ip server1

permit block-ip server2

permit block-ip intranet-block

! deny access to internet

deny blockip any

! to allow internet access to other addresses

permit any any

this extended acl should be applied inbound on the router that is the default gateway.

The range of ip addresses may need to be represented by muliple ACL lines.

We sometimes use this method to avoid internet access to specific hosts.

Hope to help



This Discussion