cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3755
Views
0
Helpful
9
Replies

ACL to deny www traffic

nickc1976
Level 1
Level 1

Hi,

I am using a cisco 857 adsl router. I want to create an access rule to deny internet access to the user of one machine with a static IP.

I have given the router a basic config, and set the pc to use the router as a default gateway, and can now get internet access.

This is the access list I have come up with, but it is not working (internet access still works)

access-list 101 deny tcp host 192.168.1.80 any eq 80

access-list 101 permit ip any any

int vlan1

ip access-group 101 out

Can anyone help me out?

Thanks

Nick

1 Accepted Solution

Accepted Solutions

Nick

Glad to hear you found the problem.

AS for your acl on the dialer0 interface. That acl will block all traffic from 192.168.1.80 to anything that is reached via the dialer0 interface.

If shared files/folders etc. are not accessible via the dialer0 interface then the user will still have access to those.

Jon

View solution in original post

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Nick

If vlan 1 is the vlan that the client is on then you need to apply the acl inbound not outbound ie.

int vlan 1

ip access-group 101 in

Inbound traffic on a vlan interface is traffic coming from clients on the vlan

Outbound traffic on a vlan interface is traffic going to clients on the vlan

Jon

Hi Jon,

Thanks for your reply.

Yes, vlan1 is the being used by the client.

I have changed the direction of the acl on vlan1 to out as you suggested, but still have internet access.

Nick

Nick

"I have changed the direction of the acl on vlan1 to out as you suggested, but still have internet access. "

You mean you changed it to in ?

What does "sh access-list 101" show

Jon

Jon,

yourname#sh access-list 101

Extended IP access list 101

10 deny tcp host 192.168.1.80 any eq www

20 permit ip any any (12828 matches)

yourname#

also, from show run:

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.19 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

Nick

Nick

Thanks for this.

There are no hits on your first line in the acl -

10 deny tcp host 192.168.1.80 any eq www

so can we go back to basics and do a few checks

1) check that the host you are testing from is actually 192.168.1.80

2) can you confirm that you are testing by accessing a web site ie. you are not testing by pinging or something else.

If both the above check out okay can you add this to your config

ip access-list extended 101

15 permit tcp host 192.168.1.80 any eq www

the idea behind this is just to confirm that 192.168.1.80 is actually being seen by the router. So after adding this line, test again and post output of "sh access-list 101"

Jon

Jon,

1. The IP address of the machine is definitely 192.168.1.80 (assigned statically)

2. Yes, I am testing by accessing a web page.

Here are the changes I made:

yourname(config)#ip access-list extended 101

yourname(config-ext-nacl)#15 permit tcp host 192.168.1.80 any eq www

yourname(config-ext-nacl)#end

yourname#show access-list 101

Extended IP access list 101

10 deny tcp host 192.168.1.80 any eq www

15 permit tcp host 192.168.1.80 any eq www

20 permit ip any any (18580 matches)

Nick

Is it possible that the PC is using HTTPS to access the web site rather than HTTP? HTTPS uses TCP port 443. Perhaps it might help to add to the access list:

13 deny tcp host 192.168.1.80 any eq 443

HTH

Rick

Hi,

Thanks for the advice so far.

I have found the problem. The router is in a different building, and traffic has to go through a wireless bridge to get to the router, though it is on the same subnet.

I added the acl rule to a router which is in the same building as the machine (so traffic does not have to go through the wireless bridge), and internet access is blocked.

This is what I added:

access-list 101 deny tcp host 192.168.1.80 any eq 80

access-list 101 permit ip any any

int vlan1

ip access-group 101 in

I have a further question.

If I change the acl to this:

access-list 1 deny 192.168.1.80

int dialer0

ip access-group 1 out

Will this acl:

1. allow the user to access all internal LAN traffic, eg. shared files & folders, receive email from the Mail server.

2. block access to all external traffic, eg. www, skype, ftp etc

Thanks

Nick

Nick

Glad to hear you found the problem.

AS for your acl on the dialer0 interface. That acl will block all traffic from 192.168.1.80 to anything that is reached via the dialer0 interface.

If shared files/folders etc. are not accessible via the dialer0 interface then the user will still have access to those.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco