05-04-2009 08:42 AM - edited 03-11-2019 08:27 AM
I will be glad if you can help me to compose an access list to block some address in my LAN (172.16.0.0/24). I want 172.16.0.1-172.16.0.65 to browse the internet and exclude all other address.
Solved! Go to Solution.
05-05-2009 03:38 AM
You don't have your access-list applied to an interface.
Create your access-list and apply like this:
ip access-list extended BLOCKWWW
permit tcp 172.16.0.0 255.255.255.192 any eq www
permit tcp host 172.16.0.64 any eq www
permit tcp host 172.16.0.65 any eq www
deny tcp any any eq www
permit ip any any
int g0/0
ip access-group BLOCKWWW in
This will only allow traffic to the web for the hosts you specified. It will allow everything else out.
HTH,
John
05-04-2009 09:12 AM
What device? Assuming ASA...only did www, but you can add https etc. or do ip instead of tcp etc.
access-list inside extended permit tcp 172.16.0.0 255.255.255.192 any eq www
access-list inside extended permit tcp host 172.16.0.64 any eq www
access-list inside extended permit tcp host 172.16.0.65 any eq www
access-list inside extended deny tcp any any eq www
access-group inside in interface inside
05-05-2009 03:30 AM
05-05-2009 03:38 AM
You don't have your access-list applied to an interface.
Create your access-list and apply like this:
ip access-list extended BLOCKWWW
permit tcp 172.16.0.0 255.255.255.192 any eq www
permit tcp host 172.16.0.64 any eq www
permit tcp host 172.16.0.65 any eq www
deny tcp any any eq www
permit ip any any
int g0/0
ip access-group BLOCKWWW in
This will only allow traffic to the web for the hosts you specified. It will allow everything else out.
HTH,
John
05-06-2009 12:38 AM
Thanks so much,John. The Named-ACL works perfectly for my network. I really appreciate your effort. GOD bless
05-04-2009 09:19 AM
Since your acl would have to be split because of the range that you need to give, you could put all 64 addresses in an object group and then allow just that object group to the internet:
object-group network WEB
network host 172.16.0.0 255.255.255.192
network host 172.16.0.62
network host 172.16.0.63
network host 172.16.0.64
network host 172.16.0.65
access-list WEB permit tcp object-group WEB any eq 80
HTH,
John
05-05-2009 02:22 AM
thanks for your reply.. Pls how do i insert the command : object-group network WEB. thanks for you kind reply
05-05-2009 03:40 AM
I gave you a config for an ASA. Object groups don't exist under routers that I'm aware of =)
John
05-06-2009 01:06 AM
John
Just for your info object-groups are now supported on IOS with a minimum of 12.4(20)T.
I haven't tried them out though so not sure how close they are to ASA/Pix object-groups.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide