ACL to deny www traffic

Answered Question
May 13th, 2009

Hi,

I am using a cisco 857 adsl router. I want to create an access rule to deny internet access to the user of one machine with a static IP.

I have given the router a basic config, and set the pc to use the router as a default gateway, and can now get internet access.

This is the access list I have come up with, but it is not working (internet access still works)

access-list 101 deny tcp host 192.168.1.80 any eq 80

access-list 101 permit ip any any

int vlan1

ip access-group 101 out

Can anyone help me out?

Thanks

Nick

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 4 years 11 months ago

Nick

Glad to hear you found the problem.

AS for your acl on the dialer0 interface. That acl will block all traffic from 192.168.1.80 to anything that is reached via the dialer0 interface.

If shared files/folders etc. are not accessible via the dialer0 interface then the user will still have access to those.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jon Marshall Wed, 05/13/2009 - 07:01

Nick

If vlan 1 is the vlan that the client is on then you need to apply the acl inbound not outbound ie.

int vlan 1

ip access-group 101 in

Inbound traffic on a vlan interface is traffic coming from clients on the vlan

Outbound traffic on a vlan interface is traffic going to clients on the vlan

Jon

nickc1976 Wed, 05/13/2009 - 07:26

Hi Jon,

Thanks for your reply.

Yes, vlan1 is the being used by the client.

I have changed the direction of the acl on vlan1 to out as you suggested, but still have internet access.

Nick

Jon Marshall Wed, 05/13/2009 - 07:37

Nick

"I have changed the direction of the acl on vlan1 to out as you suggested, but still have internet access. "

You mean you changed it to in ?

What does "sh access-list 101" show

Jon

nickc1976 Wed, 05/13/2009 - 07:46

Jon,

yourname#sh access-list 101

Extended IP access list 101

10 deny tcp host 192.168.1.80 any eq www

20 permit ip any any (12828 matches)

yourname#

also, from show run:

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.19 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

Nick

Jon Marshall Wed, 05/13/2009 - 07:58

Nick

Thanks for this.

There are no hits on your first line in the acl -

10 deny tcp host 192.168.1.80 any eq www

so can we go back to basics and do a few checks

1) check that the host you are testing from is actually 192.168.1.80

2) can you confirm that you are testing by accessing a web site ie. you are not testing by pinging or something else.

If both the above check out okay can you add this to your config

ip access-list extended 101

15 permit tcp host 192.168.1.80 any eq www

the idea behind this is just to confirm that 192.168.1.80 is actually being seen by the router. So after adding this line, test again and post output of "sh access-list 101"

Jon

nickc1976 Wed, 05/13/2009 - 08:16

Jon,

1. The IP address of the machine is definitely 192.168.1.80 (assigned statically)

2. Yes, I am testing by accessing a web page.

Here are the changes I made:

yourname(config)#ip access-list extended 101

yourname(config-ext-nacl)#15 permit tcp host 192.168.1.80 any eq www

yourname(config-ext-nacl)#end

yourname#show access-list 101

Extended IP access list 101

10 deny tcp host 192.168.1.80 any eq www

15 permit tcp host 192.168.1.80 any eq www

20 permit ip any any (18580 matches)

Richard Burts Wed, 05/13/2009 - 08:57

Nick

Is it possible that the PC is using HTTPS to access the web site rather than HTTP? HTTPS uses TCP port 443. Perhaps it might help to add to the access list:

13 deny tcp host 192.168.1.80 any eq 443

nickc1976 Thu, 05/14/2009 - 08:12

Hi,

Thanks for the advice so far.

I have found the problem. The router is in a different building, and traffic has to go through a wireless bridge to get to the router, though it is on the same subnet.

I added the acl rule to a router which is in the same building as the machine (so traffic does not have to go through the wireless bridge), and internet access is blocked.

This is what I added:

access-list 101 deny tcp host 192.168.1.80 any eq 80

access-list 101 permit ip any any

int vlan1

ip access-group 101 in

I have a further question.

If I change the acl to this:

access-list 1 deny 192.168.1.80

int dialer0

ip access-group 1 out

Will this acl:

1. allow the user to access all internal LAN traffic, eg. shared files & folders, receive email from the Mail server.

2. block access to all external traffic, eg. www, skype, ftp etc

Thanks

Nick

Correct Answer
Jon Marshall Thu, 05/14/2009 - 08:50

Nick

Glad to hear you found the problem.

AS for your acl on the dialer0 interface. That acl will block all traffic from 192.168.1.80 to anything that is reached via the dialer0 interface.

If shared files/folders etc. are not accessible via the dialer0 interface then the user will still have access to those.

Jon

Actions

Login or Register to take actions

This Discussion

Posted May 13, 2009 at 6:43 AM
Stats:
Replies:9 Avg. Rating:5
Views:358 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 2,483
2 1,624
3 1,445
4 861
5 578