02-27-2003 08:10 PM - edited 03-02-2019 05:28 AM
hi,
anybody here who can help me about syntax in access-list command.
how can i block a certain workstation using KAZAA?(using ccess-list command)
thnx.
02-27-2003 08:22 PM
Well first you need to determine the IP address of the KAZAA site your user is going to (ip accounting might work for this if you want or you might already know). You can also use nslookup to determine Kazaa sites, which I am sure there are a few. I got the following list setting type=A.
Name: kazaa.com
Addresses: 217.116.226.13, 217.116.224.67, 217.116.224.68, 217.116.224.69.217.116.224.70, 217.116.226.11, 217.116.226.12
You'd need to determine the exact host though.. could be something else.
Syntax for access-list
access-list 101 deny any host
access-list 101 deny any host
etc..
access-list 101 permit any any
Then you can go to where this user is connected if you want to do an inbound or to where your uplink to the interfnet is for outbound and do the following under the interface config...
ip access-group 101 out ( for outbound.. "in" for inbound)
Also you can append the "log" keyword at the end of each ACL to see in the router/ syslog logs when someone is trying to go to kazaa..
Hope this helps you,
Don
02-28-2003 12:21 AM
thanks for the help Don. I'll try to do this as soon as i get to the site.
I'll give you a feedback.
mhel
03-03-2003 03:29 PM
Don't forget to add the "protocol" after the deny/permit statement for an extended ACL.
Bruce Davis, CCNA since 2003
04-05-2003 12:19 AM
hi,
actually i have an existing access-list
access-list 2 permit x.x.x.x 0.0.0.255
access-list 2 deny any
this is for my users to access the net. I'll try to add the deny command to all host of KAZAA using the standard access-list (which is also 2) and add the ip access-group to s0/e0 the result is, all my WS cant access the net. you can check my existing config.(partial only
interface Ethernet0
ip address x.x.x.x 255.255.255.x secondary
ip address x.x.x.x 255.255.0.0
ip access-group 2 in
ip nat inside
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
!
interface Serial0
description 64l link to X
ip address x.x.x.x 255.255.255.x
ip access-group 2 out
ip nat outside
encapsulation ppp
no fair-queue
!
interface Serial1
no ip address
shutdown
!
interface Group-Async1
description connected to remote sites
ip unnumbered Ethernet0
encapsulation ppp
ip tcp header-compression passive
async mode interactive
peer default ip address pool x-group-1
no cdp enable
ppp authentication chap
group-range 1 8
!
ip local pool x-group-1 x.x.x.x x.x.x.x
ip nat pool mypool x.x.x.x x.x.x.x netmask 255.255.255.x
ip nat inside source list 2 pool mypool overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 2 deny 217.116.224.69
access-list 2 deny 217.116.224.68
access-list 2 deny 217.116.224.70
access-list 2 deny 217.116.224.67
access-list 2 deny 217.116.226.13
access-list 2 deny 217.116.226.12
access-list 2 deny 217.116.226.11
access-list 2 permit (private ip) 0.0.0.255
access-list 2 deny any
Thanks in advance
mhel
04-05-2003 05:59 AM
Hi mhel
as i see your config in order to block the kazaa
will not work , your standard accesslist
is not suited for this situation, as probably you know
standard accesslists do care about the source addresses only ,and you have this accesslist outbound on s0.
if you want to solve your problem with standard accesslists you got to bind your accesslist as an inbound one on your wan connection and you should add the statment of "permit any any "at the end of the accesslist
in addition to allow any traffic not equal to the source of kazaa
and in this regards it is not needed to bind any accesslist on your e0
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide