Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL help: Reducing an IPs access to nothing

We have someone at a remote facility who keeps attaching his Mac to the network and it spews out several gigs of data some mornings to Mac.com.

I wanted to review if what I was doing would more or less work, though it may not be very elegant.

Basically I assign him a static DHCP lease and then I do the following:

On our ASA5520 that firewalls all internet traffic I made the following entry:

access-list inside_acl extended deny ip host 192.168.133.44 any

Also, for kicks I did the following on their MPLS router's fast ethernet interface that connects to the switch:

ip access-list extended blockmac

deny ip host 192.168.133.44 any

permit ip any any

interface FastEthernet0/0

ip access-group blockmac out

I don't see any hits when I do a "show access-list" for that ACL though so it makes me wonder.

Thank you for any help.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL help: Reducing an IPs access to nothing

I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!

HTH and please rate.

1 REPLY

Re: ACL help: Reducing an IPs access to nothing

I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!

HTH and please rate.

116
Views
0
Helpful
1
Replies