Solved: Restricting some of my internal hosts from accessin internet

obafemiboye · ‎05-04-2009

I will be glad if you can help me to compose an access list to block some address in my LAN (172.16.0.0/24). I want 172.16.0.1-172.16.0.65 to browse the internet and exclude all other address.

John Blakley · ‎05-05-2009

You don't have your access-list applied to an interface.

Create your access-list and apply like this:

ip access-list extended BLOCKWWW

permit tcp 172.16.0.0 255.255.255.192 any eq www

permit tcp host 172.16.0.64 any eq www

permit tcp host 172.16.0.65 any eq www

deny tcp any any eq www

permit ip any any

int g0/0

ip access-group BLOCKWWW in

This will only allow traffic to the web for the hosts you specified. It will allow everything else out.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

acomiskey · ‎05-04-2009

What device? Assuming ASA...only did www, but you can add https etc. or do ip instead of tcp etc.

access-list inside extended permit tcp 172.16.0.0 255.255.255.192 any eq www

access-list inside extended permit tcp host 172.16.0.64 any eq www

access-list inside extended permit tcp host 172.16.0.65 any eq www

access-list inside extended deny tcp any any eq www

access-group inside in interface inside

obafemiboye · ‎05-05-2009

Thanks for kind reply. I still cant get it working! My Router is 2821. Pls find attached a copy of my ''Show run'' and analysed this for me. Thanks once again for your time.

John Blakley · ‎05-05-2009

You don't have your access-list applied to an interface.

Create your access-list and apply like this:

ip access-list extended BLOCKWWW

permit tcp 172.16.0.0 255.255.255.192 any eq www

permit tcp host 172.16.0.64 any eq www

permit tcp host 172.16.0.65 any eq www

deny tcp any any eq www

permit ip any any

int g0/0

ip access-group BLOCKWWW in

This will only allow traffic to the web for the hosts you specified. It will allow everything else out.

HTH,

John

HTH, John *** Please rate all useful posts ***

obafemiboye · ‎05-06-2009

Thanks so much,John. The Named-ACL works perfectly for my network. I really appreciate your effort. GOD bless

John Blakley · ‎05-04-2009

Since your acl would have to be split because of the range that you need to give, you could put all 64 addresses in an object group and then allow just that object group to the internet:

object-group network WEB

network host 172.16.0.0 255.255.255.192

network host 172.16.0.62

network host 172.16.0.63

network host 172.16.0.64

network host 172.16.0.65

access-list WEB permit tcp object-group WEB any eq 80

HTH,

John

HTH, John *** Please rate all useful posts ***

obafemiboye · ‎05-05-2009

thanks for your reply.. Pls how do i insert the command : object-group network WEB. thanks for you kind reply

John Blakley · ‎05-05-2009

I gave you a config for an ASA. Object groups don't exist under routers that I'm aware of =)

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎05-06-2009

John

Just for your info object-groups are now supported on IOS with a minimum of 12.4(20)T.

I haven't tried them out though so not sure how close they are to ASA/Pix object-groups.

Jon