Re: access list in 2500 series router

mhel · ‎02-27-2003

hi,

anybody here who can help me about syntax in access-list command.

how can i block a certain workstation using KAZAA?(using ccess-list command)

thnx.

donewald · ‎02-27-2003

Well first you need to determine the IP address of the KAZAA site your user is going to (ip accounting might work for this if you want or you might already know). You can also use nslookup to determine Kazaa sites, which I am sure there are a few. I got the following list setting type=A.

Name: kazaa.com

Addresses: 217.116.226.13, 217.116.224.67, 217.116.224.68, 217.116.224.69.217.116.224.70, 217.116.226.11, 217.116.226.12

You'd need to determine the exact host though.. could be something else.

Syntax for access-list

access-list 101 deny any host

etc..

access-list 101 permit any any

Then you can go to where this user is connected if you want to do an inbound or to where your uplink to the interfnet is for outbound and do the following under the interface config...

ip access-group 101 out ( for outbound.. "in" for inbound)

Also you can append the "log" keyword at the end of each ACL to see in the router/ syslog logs when someone is trying to go to kazaa..

Hope this helps you,

Don

mhel · ‎02-28-2003

thanks for the help Don. I'll try to do this as soon as i get to the site.

I'll give you a feedback.

mhel

brucedavis · ‎03-03-2003

Don't forget to add the "protocol" after the deny/permit statement for an extended ACL.

Bruce Davis, CCNA since 2003

mhel · ‎04-05-2003

hi,

actually i have an existing access-list

access-list 2 permit x.x.x.x 0.0.0.255

access-list 2 deny any

this is for my users to access the net. I'll try to add the deny command to all host of KAZAA using the standard access-list (which is also 2) and add the ip access-group to s0/e0 the result is, all my WS cant access the net. you can check my existing config.(partial only

interface Ethernet0

ip address x.x.x.x 255.255.255.x secondary

ip address x.x.x.x 255.255.0.0

ip access-group 2 in

ip nat inside

ip route-cache same-interface

ip route-cache policy

ip route-cache flow

!

interface Serial0

description 64l link to X

ip address x.x.x.x 255.255.255.x

ip access-group 2 out

ip nat outside

encapsulation ppp

no fair-queue

!

interface Serial1

no ip address

shutdown

!

interface Group-Async1

description connected to remote sites

ip unnumbered Ethernet0

encapsulation ppp

ip tcp header-compression passive

async mode interactive

peer default ip address pool x-group-1

no cdp enable

ppp authentication chap

group-range 1 8

!

ip local pool x-group-1 x.x.x.x x.x.x.x

ip nat pool mypool x.x.x.x x.x.x.x netmask 255.255.255.x

ip nat inside source list 2 pool mypool overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

no ip http server

!

access-list 2 deny 217.116.224.69

access-list 2 deny 217.116.224.68

access-list 2 deny 217.116.224.70

access-list 2 deny 217.116.224.67

access-list 2 deny 217.116.226.13

access-list 2 deny 217.116.226.12

access-list 2 deny 217.116.226.11

access-list 2 permit (private ip) 0.0.0.255

access-list 2 deny any

Thanks in advance

mhel

farshid_sh · ‎04-05-2003

Hi mhel

as i see your config in order to block the kazaa

will not work , your standard accesslist

is not suited for this situation, as probably you know

standard accesslists do care about the source addresses only ,and you have this accesslist outbound on s0.

if you want to solve your problem with standard accesslists you got to bind your accesslist as an inbound one on your wan connection and you should add the statment of "permit any any "at the end of the accesslist

in addition to allow any traffic not equal to the source of kazaa

and in this regards it is not needed to bind any accesslist on your e0

Best Regards