Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to block IP address from outbound Internet connections.

Greetings,

This sounds simple, but I don't see how to do it.

How can I block an IP address from going outbound to the Internet? Should I use and access-list, conduit, etc.? Excuse my ignorance.

6 REPLIES
Community Member

Re: How to block IP address from outbound Internet connections.

Hi,

You can use an access-list applied on the inside interface to deny the outbound connection.

Or you can use a shun command for blocking a IP in all directions (pixos 6.0 or later)

Graz.

Community Member

Re: How to block IP address from outbound Internet connections.

The idea is to use an accesslist to block outgoing trafiic and to bind this accesslist to the inside interface. In the following example I allow users to use their browsers i.e. port 80 but also to browse websites usign SSL (port 443). All other trafic (e.g. telnet, FTP) is blocked.

access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list user_punishment permit tcp 192.168.1.0 255.255.255.0 any eq 443

access-list user_punishment deny ip any any

access-group user_punishment in interface inside

The 3rd item in the accesslist is not needed but it help understanding the proccess.

Best regards

Goran

Community Member

Re: How to block IP address from outbound Internet connections.

Thanks for the help. I didn't create the access-group to bind the list to an interface.

One more question ... in your example, when I create the access-group does that only bind acl user_punishment to the inside interface or does it bind all acls to that interface?

Community Member

Re: How to block IP address from outbound Internet connections.

Much easy than build an access or conduit, is using the command icmp. You can try this.

icmp deny host a.b.c.d interface <--- this can be inside or outside

Bye.

Community Member

Re: How to block IP address from outbound Internet connections.

Wouldn't that just prevent ICMP echo-replys from that PIX interface?

try access-l acl_in deny ip host a.b.c.d any

access-l acl_in permit ip any any

access-g acl_in in interface inside

Community Member

Re: How to block IP address from outbound Internet connections.

I trust it only binds that particular ACL to the interface.

- Goran

291
Views
0
Helpful
6
Replies
CreatePlease to create content