05-13-2009 06:43 AM
Hi,
I am using a cisco 857 adsl router. I want to create an access rule to deny internet access to the user of one machine with a static IP.
I have given the router a basic config, and set the pc to use the router as a default gateway, and can now get internet access.
This is the access list I have come up with, but it is not working (internet access still works)
access-list 101 deny tcp host 192.168.1.80 any eq 80
access-list 101 permit ip any any
int vlan1
ip access-group 101 out
Can anyone help me out?
Thanks
Nick
Solved! Go to Solution.
05-14-2009 08:50 AM
Nick
Glad to hear you found the problem.
AS for your acl on the dialer0 interface. That acl will block all traffic from 192.168.1.80 to anything that is reached via the dialer0 interface.
If shared files/folders etc. are not accessible via the dialer0 interface then the user will still have access to those.
Jon
05-13-2009 07:01 AM
Nick
If vlan 1 is the vlan that the client is on then you need to apply the acl inbound not outbound ie.
int vlan 1
ip access-group 101 in
Inbound traffic on a vlan interface is traffic coming from clients on the vlan
Outbound traffic on a vlan interface is traffic going to clients on the vlan
Jon
05-13-2009 07:26 AM
Hi Jon,
Thanks for your reply.
Yes, vlan1 is the being used by the client.
I have changed the direction of the acl on vlan1 to out as you suggested, but still have internet access.
Nick
05-13-2009 07:37 AM
Nick
"I have changed the direction of the acl on vlan1 to out as you suggested, but still have internet access. "
You mean you changed it to in ?
What does "sh access-list 101" show
Jon
05-13-2009 07:46 AM
Jon,
yourname#sh access-list 101
Extended IP access list 101
10 deny tcp host 192.168.1.80 any eq www
20 permit ip any any (12828 matches)
yourname#
also, from show run:
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.19 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
Nick
05-13-2009 07:58 AM
Nick
Thanks for this.
There are no hits on your first line in the acl -
10 deny tcp host 192.168.1.80 any eq www
so can we go back to basics and do a few checks
1) check that the host you are testing from is actually 192.168.1.80
2) can you confirm that you are testing by accessing a web site ie. you are not testing by pinging or something else.
If both the above check out okay can you add this to your config
ip access-list extended 101
15 permit tcp host 192.168.1.80 any eq www
the idea behind this is just to confirm that 192.168.1.80 is actually being seen by the router. So after adding this line, test again and post output of "sh access-list 101"
Jon
05-13-2009 08:16 AM
Jon,
1. The IP address of the machine is definitely 192.168.1.80 (assigned statically)
2. Yes, I am testing by accessing a web page.
Here are the changes I made:
yourname(config)#ip access-list extended 101
yourname(config-ext-nacl)#15 permit tcp host 192.168.1.80 any eq www
yourname(config-ext-nacl)#end
yourname#show access-list 101
Extended IP access list 101
10 deny tcp host 192.168.1.80 any eq www
15 permit tcp host 192.168.1.80 any eq www
20 permit ip any any (18580 matches)
05-13-2009 08:57 AM
Nick
Is it possible that the PC is using HTTPS to access the web site rather than HTTP? HTTPS uses TCP port 443. Perhaps it might help to add to the access list:
13 deny tcp host 192.168.1.80 any eq 443
05-14-2009 08:12 AM
Hi,
Thanks for the advice so far.
I have found the problem. The router is in a different building, and traffic has to go through a wireless bridge to get to the router, though it is on the same subnet.
I added the acl rule to a router which is in the same building as the machine (so traffic does not have to go through the wireless bridge), and internet access is blocked.
This is what I added:
access-list 101 deny tcp host 192.168.1.80 any eq 80
access-list 101 permit ip any any
int vlan1
ip access-group 101 in
I have a further question.
If I change the acl to this:
access-list 1 deny 192.168.1.80
int dialer0
ip access-group 1 out
Will this acl:
1. allow the user to access all internal LAN traffic, eg. shared files & folders, receive email from the Mail server.
2. block access to all external traffic, eg. www, skype, ftp etc
Thanks
Nick
05-14-2009 08:50 AM
Nick
Glad to hear you found the problem.
AS for your acl on the dialer0 interface. That acl will block all traffic from 192.168.1.80 to anything that is reached via the dialer0 interface.
If shared files/folders etc. are not accessible via the dialer0 interface then the user will still have access to those.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: