blocking www.blocksite.com

Unanswered Question
Jan 21st, 2009
User Badges:

Hello

i'm asked by our Manager to block specific site let us asume http://www.block.com, as normal i logged into the router and start with these 3 lines

access-list 110 deny tcp any host http://www.block.com eq www

(for other site to be accessable)

access-list 110 permit tcp any any eq www

**********

in the interface that facing the ISP

ip access-group 110 out

it's successfully block http://www.block.com and accordingly all other sites in the web.

what could be wrong, please i need advice.

thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aneesh.ts Wed, 01/21/2009 - 22:17
User Badges:

i think you should mention permit ip any any as the second line insted of tcp any any


access-list 110 permit ip any any


Because the command you gave will only permit TCP traffic, but block rest.


try and lemme know whether it worked.

aneesh.ts Wed, 01/21/2009 - 22:23
User Badges:

Also try the ip address insted of the URL.


access-list 110 deny tcp any host http://www.block.com eq www


Insted of this try


access-list 110 deny tcp any host eq www


do an nslookup http://www.block.com in your command prompt to resolve the URL. Since router would not be able to resolve your DNS name to ip address(Not sure). Kindly find the nslookup am getting from my command prompt.


P:\>nslookup http://www.block.com

Server:

Address: 192.168.134.39


DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to timed-out


P:\>nslookup block.com

Server:

Address: 192.168.134.39


Non-authoritative answer:

Name: block.com

Address: 65.220.68.100



I am unable to resolve http://www.block.com, but able to resolve block.com.

Not sure whether you have mentioned the correct URL to be blocked. I guess you have masked the URL

alaeldien Wed, 01/21/2009 - 23:31
User Badges:

Hello

thank you for your quick reply

it is not the matter to choose between ip or url, because of name server being configured in the router can resolve url to ip address. the most important thing is that why i blocks all other site, inspite of

access-list 110 permit ip any any

and

access-list 110 permit tcp any any eq www

either of those 2 lines must allow other sites to be access able.


ok for being more clear i configuring the router with PPPoE that negotiate id address through ipcp and it is used virtual dialer for negotiation, do you think because of that, do i need to apply the ACL to physically connected interface?

thank you

thank

alaeldien Thu, 01/22/2009 - 02:54
User Badges:

Hello

i need someone please to refine the case and suggest to me interface that must the ACL applied to, assuming the 1841 router having only 2 fastethernet switch

int ethernet 0/0 facing local lan

int ethernet 0/1 facing ISP

please advice

shanbhag Thu, 01/22/2009 - 07:06
User Badges:
  • Cisco Employee,

Either way should be fine.

Actions

This Discussion