Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

access list

I dont want to have internet accces for my network, but there are some machines on which i need to have interner access only for windows auto updates and antivirus McAfee auto updates.

Can I limit this access through an access list on a router, if yes then how?

4 REPLIES
Purple

Re: access list

Yes, you can. I would probably configure an inbound access-list on the router interface towards your LAN which allows those IP addresses to get out to the Internet but blocks everything else.

Post more details/router configs if you want more details...

Pls do remember to rate posts.

Paresh

Paresh

Community Member

Re: access list

Paresh

config is attached, currently we have only GRE tunnel configured on it once we have access list i will config nat for internet access. I would appriciate if you could suggest a access list with particular port numbers for windows update and McAfee updates rest of the traffic should be denied.

router#sh run

Building configuration...

Current configuration : 1621 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname router

!

interface Tunnel0

ip address 10.34.0.2 255.255.255.252

tunnel source x.x.x.194

tunnel destination y.y.y.115

!

interface FastEthernet0/0

ip address x.x.x.194 255.255.255.224

speed 100

full-duplex

!

interface FastEthernet1/0

ip address 10.10.118.1 255.255.0.0

speed 100

full-duplex

!

interface Serial1/0

no ip address

shutdown

clockrate 2000000

!

interface FastEthernet1/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/1

no ip address

shutdown

clockrate 2000000

!

router rip

version 2

passive-interface default

no passive-interface Tunnel0

network 1.0.0.0

network 10.0.0.0

neighbor y.y.y.115

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.193

ip http server

!

dial-peer cor custom

!

!

!

!

!

line con 0

password xxxx

login

speed 115200

line aux 0

line vty 0 4

password xxxxx

login

!

end

router#

Community Member

Re: access list

Hi Paresh,

I've been pondering on this issue some time ago.

In his case, he wants to limit Internet access to a group of machines, for Windows Updates and McAfee Antivirus Updates only.

Because the IP addresses of these servers may change though the FQDN don't, how do we go about configuring the ACL?

access-list 100 permit tcp host any eq ?

Please advise.

Thank you.

B.Rgds,

Lim TS

Re: access list

Hello,

you could use NBAR to match HTTP URLs assuming the McAfee updates use HTTP. Microsoft updates should be no problem.

It could look like this (untested though, as I have no router available right now):

class-map match-all MS

match ip address 100

match protocol http url "*.microsoft.com"

class-map match-all McAfee

match ip address 100

match protocol http url "*.mcafee.com"

class-map match-any restrict

match not class MS

match not class McAfee

policy-map MyMap

class MS

class McAfee

class restrict

drop

interface Ethernet0/0

service-policy input MyMap

access-list 100 permit ip host any

Hope this helps! Please rate all posts.

Regards, Martin

142
Views
0
Helpful
4
Replies
CreatePlease to create content