06-10-2017 09:19 AM - edited 02-20-2020 09:44 PM
Hello Cisco Community,
I am trying to implement an IP ACL to prevent 1 host (PC1) from reaching domain www.google.com. I have done a little research but am unsure on how i can do this or if I am doing it correctly. I am doing this via Cisco Packet Tracer and have attached screenshot's below of what I have done so far. Please let me know if it is correct or what I need to do to get this thing right. Thanks.
Solved! Go to Solution.
06-11-2017 04:41 AM
You create the ACL and then you have to apply it to an interface (normally as an inbound ACL).
Using an FQDN in an ACL is not supported in IOS (it is in ASA but we don't usually recommend it as it requires the firewall to lookup the FQDN when the packet arrives). So we normally use ip addresses. However popular web sites like google.com are not just one or always the same address. They use Content Delivery Networks (CDNs) and other techniques to spread the load across servers globally.
For practice you are better off using a single IP address associated with a destination that only has one IP address - either a specific server or small web site that doesn't use a CDN - like maybe a small business that has its server on premises.
06-10-2017 04:28 PM
06-11-2017 04:41 AM
You create the ACL and then you have to apply it to an interface (normally as an inbound ACL).
Using an FQDN in an ACL is not supported in IOS (it is in ASA but we don't usually recommend it as it requires the firewall to lookup the FQDN when the packet arrives). So we normally use ip addresses. However popular web sites like google.com are not just one or always the same address. They use Content Delivery Networks (CDNs) and other techniques to spread the load across servers globally.
For practice you are better off using a single IP address associated with a destination that only has one IP address - either a specific server or small web site that doesn't use a CDN - like maybe a small business that has its server on premises.
06-11-2017 04:41 AM
Thank you Martin,
I This information is very helpful and I was able to create the ACL and block PC1 from accessing the google.com domain. I did a little research and had to find all the ip address google basically us and once found I denied PC 1 from accessing them.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide