Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1745
Views
0
Helpful
3
Replies

Denying A domain with ACL

Go to solution
chrtim5064
Level 1
Level 1

‎06-10-2017 09:19 AM - edited ‎02-20-2020 09:44 PM

Hello Cisco Community,

I am trying to implement an IP ACL to prevent 1 host (PC1) from reaching domain www.google.com. I have done a little research but am unsure on how i can do this or if I am doing it correctly. I am doing this via Cisco Packet Tracer and have attached screenshot's below of what I have done so far. Please let me know if it is correct or what I need to do to get this thing right. Thanks. 

Labels:
Preview file
85 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-11-2017 04:41 AM

You create the ACL and then you have to apply it to an interface (normally as an inbound ACL).

Using an FQDN in an ACL is not supported in IOS (it is in ASA but we don't usually recommend it as it requires the firewall to lookup the FQDN when the packet arrives). So we normally use ip addresses. However popular web sites like google.com are not just one or always the same address. They use Content Delivery Networks (CDNs) and other techniques to spread the load across servers globally.

For practice you are better off using a single IP address associated with a destination that only has one IP address - either a specific server or small web site that doesn't use a CDN - like maybe a small business that has its server on premises.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎06-10-2017 04:28 PM

Configuring IP Access Lists

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-11-2017 04:41 AM

You create the ACL and then you have to apply it to an interface (normally as an inbound ACL).

Using an FQDN in an ACL is not supported in IOS (it is in ASA but we don't usually recommend it as it requires the firewall to lookup the FQDN when the packet arrives). So we normally use ip addresses. However popular web sites like google.com are not just one or always the same address. They use Content Delivery Networks (CDNs) and other techniques to spread the load across servers globally.

For practice you are better off using a single IP address associated with a destination that only has one IP address - either a specific server or small web site that doesn't use a CDN - like maybe a small business that has its server on premises.

0 Helpful

Go to solution
chrtim5064
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2017 04:41 AM

Thank you Martin,

I This information is very helpful and I was able to create the ACL and block PC1 from accessing the google.com domain. I did a little research and had to find  all the ip address google basically us and once found I denied PC 1 from accessing them. 

Thanks again. 

0 Helpful
Customers Also Viewed These Support Documents