07-20-2007 09:29 AM - edited 03-11-2019 03:47 AM
I am trying to block AOL internet radio. with a sniffer tool, it shows that the outside ip's are still being accessed. Also, when i do a show access-list it does not show anything on the hitcounts.
access list
access-list dmz-2_in; 7 elements
access-list dmz-2_in permit ip host 10.10.220.21 host 172.16.8.103 (hitcnt=32970
)
access-list dmz-2_in permit tcp host 10.10.220.22 host 172.16.8.104 eq smtp (hit
cnt=13257)
access-list dmz-2_in deny ip any 192.168.1.0 255.255.255.0 (hitcnt=1854)
access-list dmz-2_in permit ip any any (hitcnt=1137348)
access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2844 (hitcnt=0)
access-list dmz-2_in permit tcp any host 172.16.8.71 eq 2845 (hitcnt=0)
access-list dmz-2_in deny ip any 172.16.8.0 255.255.248.0 (hitcnt=0)
access-list labdmz-in; 1 elements
access-list labdmz-in permit ip any 192.168.100.0 255.255.255.0 (hitcnt=0)
access-list in; 1 elements
access-list in permit ip any any (hitcnt=0)
access-list inside; 4 elements
access-list inside deny ip any host 211.234.104.232 (hitcnt=0)
access-list inside permit ip any any (hitcnt=2696140)
access-list inside deny ip any host 219.150.167.162 (hitcnt=0)
access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)
access-list barracuda; 4 elements
access-list barracuda permit tcp any eq smtp any (hitcnt=0)
access-list barracuda permit icmp any any (hitcnt=3760)
access-list barracuda permit ip host 192.168.1.15 any (hitcnt=532201)
access-list barracuda deny ip any any (hitcnt=0)
access-list inside1; 4 elements
access-list inside1 deny ip any host 211.234.104.232 (hitcnt=0)
access-list inside1 deny ip any host 219.150.167.162 (hitcnt=0)
access-list inside1 deny ip any 64.236.98.0 255.255.255.0 (hitcnt=8)
access-list inside1 permit ip any any (hitcnt=46235)
FireWall#
I am trying to block the following internal user from accessing aol radio public ip's 64.236.98.1 255.255.255.0
If anyone has any other suggestions, please let me know
THank you
07-20-2007 09:38 AM
Please post output of
'sh run access-group'
07-20-2007 09:42 AM
Hi
Which access-list is applied to your inside interface
inside
or
inside1.
If it is inside it won't work as you have a "permit ip any any" before your deny. You need to use inside1.
HTH
Jon
07-20-2007 09:57 AM
shirwaziri1,
If you look at you access list I believe that you are using access-list inside. Now look at the statements:
access-list inside deny ip any host 211.234.104.232 (hitcnt=0)
access-list inside permit ip any any (hitcnt=2696140)
access-list inside deny ip any host 219.150.167.162 (hitcnt=0)
access-list inside deny ip any 64.236.98.0 255.255.255.0 (hitcnt=0)
Cisco access list goes in order.First you deny 211.234.104.232 and then you permit all IP trafic.(look at the count) That is why you are not blocking the the 64.236.98.0/24.
If you recreate the access-list with permit IP any any on end, it will work.
Good luck.
07-20-2007 12:16 PM
Yes access list order is the problem here. Move the 'permit ip any any' entry to the last as below.
access-list inside deny ip any host 211.234.104.232
access-list inside deny ip any host 219.150.167.162
access-list inside deny ip any 64.236.98.0 255.255.255.0
access-list inside permit ip any any
HTH
Sundar
07-20-2007 12:22 PM
i apologize, the access - group is for inside1. The access list is working. But, if i want to add any future access-lists, how do i apply it so it will be infront of "access-list inside1 permit ip any any"
access-list line 26 ......... (does not work)
07-20-2007 01:30 PM
Access-list can be only taken as a hole thing out.So if you issue :
no access-list inside 1 it will remove the hole access-list.
The simple solution is to copy the old one in clipboard and rearrange it and then put it back in:
access-list inside1 deny host 192.168.0.x host 192.168.10.x
access-list inside1 deny 192.169.0.x 255.255.255.0
access-list inside1 permit any any
no access-list inside1
and past in the good one:
access-list inside1 deny host 192.168.0.x host 192.168.10.x
access-list inside1 deny 192.169.0.x 255.255.255.0
access-list inside1 deny 210.20.2.2 255.255.255.0
access-list inside1 permit any any
07-21-2007 03:11 AM
Line 2 of access-list inside masks all other lines. You need to put what you now have on line 2 after you have issued all your deny statements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide