Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Restricting some of my internal hosts from accessin internet

I will be glad if you can help me to compose an access list to block some address in my LAN (172.16.0.0/24). I want 172.16.0.1-172.16.0.65 to browse the internet and exclude all other address.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Restricting some of my internal hosts from accessin internet

You don't have your access-list applied to an interface.

Create your access-list and apply like this:

ip access-list extended BLOCKWWW

permit tcp 172.16.0.0 255.255.255.192 any eq www

permit tcp host 172.16.0.64 any eq www

permit tcp host 172.16.0.65 any eq www

deny tcp any any eq www

permit ip any any

int g0/0

ip access-group BLOCKWWW in

This will only allow traffic to the web for the hosts you specified. It will allow everything else out.

HTH,

John

HTH, John *** Please rate all useful posts ***
8 REPLIES
Green

Re: Restricting some of my internal hosts from accessin internet

What device? Assuming ASA...only did www, but you can add https etc. or do ip instead of tcp etc.

access-list inside extended permit tcp 172.16.0.0 255.255.255.192 any eq www

access-list inside extended permit tcp host 172.16.0.64 any eq www

access-list inside extended permit tcp host 172.16.0.65 any eq www

access-list inside extended deny tcp any any eq www

access-group inside in interface inside

New Member

Re: Restricting some of my internal hosts from accessin internet

Thanks for kind reply. I still cant get it working! My Router is 2821. Pls find attached a copy of my ''Show run'' and analysed this for me. Thanks once again for your time.

Re: Restricting some of my internal hosts from accessin internet

You don't have your access-list applied to an interface.

Create your access-list and apply like this:

ip access-list extended BLOCKWWW

permit tcp 172.16.0.0 255.255.255.192 any eq www

permit tcp host 172.16.0.64 any eq www

permit tcp host 172.16.0.65 any eq www

deny tcp any any eq www

permit ip any any

int g0/0

ip access-group BLOCKWWW in

This will only allow traffic to the web for the hosts you specified. It will allow everything else out.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Restricting some of my internal hosts from accessin internet

Thanks so much,John. The Named-ACL works perfectly for my network. I really appreciate your effort. GOD bless

Re: Restricting some of my internal hosts from accessin internet

Since your acl would have to be split because of the range that you need to give, you could put all 64 addresses in an object group and then allow just that object group to the internet:

object-group network WEB

network host 172.16.0.0 255.255.255.192

network host 172.16.0.62

network host 172.16.0.63

network host 172.16.0.64

network host 172.16.0.65

access-list WEB permit tcp object-group WEB any eq 80

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Restricting some of my internal hosts from accessin internet

thanks for your reply.. Pls how do i insert the command : object-group network WEB. thanks for you kind reply

Re: Restricting some of my internal hosts from accessin internet

I gave you a config for an ASA. Object groups don't exist under routers that I'm aware of =)

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: Restricting some of my internal hosts from accessin internet

John

Just for your info object-groups are now supported on IOS with a minimum of 12.4(20)T.

I haven't tried them out though so not sure how close they are to ASA/Pix object-groups.

Jon

286
Views
0
Helpful
8
Replies
CreatePlease to create content