General discussion

Locked

Access-list: block www in cisco2610

By sphynx ·
Hello,
I have cisco 2610 and i want to block all ip address to access the internet and permit only 5 ip address to access the internet.

scenario: block all class C ip address
192.168.10.1 to 255
and permit only the following ip to access the internet: 192.168.10.5, 192.168.10.11, 192.168.10.16, 192.168.10.50, 192.168.10.111


initially my configuration are as follow but it seems not right. Anybody can decode this.

!
access-list 112 permit tcp host 192.168.10.5 any eq www
!
access-list 112 permit tcp host 192.168.10.11 any eq www
access-list 112 permit tcp host 192.168.10.16 any eq www
.....
!
int s0/1
ip 192.168.2.2 255.255.255.252
ip access-group 112 out
!

anybody please help.

-Sphynx.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Access-list: block www in cisco2610

by Alpha-Male In reply to Access-list: block www in ...

I think the syntax is:

access-list 112 permit tcp any host 192.168.10.5 eq 80 (or www if you use http on other ports)
access-list 112 permit tcp any host 192.168.10.11 eq 80
access-list 112 permit tcp any host 192.168.10.16 eq 80
access-list112 permit tcp any host 192.168.10.50 eq 80
access-list 112 permit tcp any host 192.168.10.111 eq 80

After this, there should be an implicit deny all, but you can always enter it if you wish.

This should work...but if you're still having trouble give some more details and I'll try to help further.

Collapse -

Access-list: block www in cisco2610

by Alpha-Male In reply to Access-list: block www in ...

Actually I got it backwards there (just took a look at my router)...

the any comes after the host and IP (for destination) like you had it.

Collapse -

Access-list: block www in cisco2610

by Alpha-Male In reply to Access-list: block www in ...

You may need to break this down further if you are having trouble accessing other services.

Perhaps add the following:

access-list 112 deny tcp 192.168.10.0 0.0.0.255 eq 80
access-list 112 permit ip any any

this would allow other services to access recources before the implicit deny all.

Collapse -

Access-list: block www in cisco2610

by sphynx In reply to Access-list: block www in ...

Hello Alpha,
it didn't work maybe i can explain it more. The 5 ip address are workstation that i want to get access to the internet. Or rather the 5 address to route on my serial0(the one point to isp) which has an i.p address of 192.168.2.2 subnet 255.255.255.252.

Collapse -

Access-list: block www in cisco2610

by mshavrov In reply to Access-list: block www in ...

May be not 100% solution... Just comments:

1. Why don't you use "named access-lists"? It's easier to manage:

ip access-list extended blockwww
permit tcp 192.168.10.5 0.0.0.0 any eq www
. . .
deny tcp any any eq www
permit ip any any2. You may look access-list and you will see how many times each entry was hitten. Create additional antries, for example, for your test machine, try to access web page nad then check "show access-list blockwww", if your requests were catched by access-list.

3. If you want to monitor people, who tries to access Internet, add "log" keyword to "deny" line (something like "deny tcp any any eq www log"). After some time you can see in log, who tried to go to Internet.

4. If you will apply this access-list to your "inside" interface and as "inbound" access-list, you will save router's memory and cpu, because these packets will be dropen "in the enterance door"

something like:

Interface FastEthernet 0
access-group blockwww in

Good luck.

Collapse -

Access-list: block www in cisco2610

by sphynx In reply to Access-list: block www in ...

I will do the named list it so happen that i want to make this work first before doing it.
After i apply the configuration all user's can't access the internet. Any more idea why?

Collapse -

Access-list: block www in cisco2610

by jbelcher In reply to Access-list: block www in ...

This is based on the assumption that all computers can currently access the internet (ie. IP routing is configured properly and routing all Internet traffic to the ISP)

How about a slightly simplified approach: Permit IP traffic to only the desired hosts, deny all traffic to everyone else (traffic passing through Serial0/1 anyway)

Something like this:

!
! Standard IP access list to control access out to the Internet
!
access-list 12 permit host 192.168.10.5
access-list 12 permit host 192.168.10.11
access-list 12 permit host 192.168.10.16
access-list 12 permit host 192.168.10.50
access-list 12 permit host 192.168.10.111
access-list 12 deny any log ! optional to log all internal hosts attempting to access internet
!
! Extended IP access list to control Internet traffic to internal hosts
access-list 112 permit ip any host 192.168.10.5
access-list 112 permit ip any host 192.168.10.11
access-list 112 permit ip any host 192.168.10.16
access-list 112 permit ip any host 192.168.10.50
access-list 112 permit ip any host 192.168.10.111
access-list 112 deny ip any any log ! optional to log all traffic not specified above
!
int s0/1
ip 192.168.2.2 255.255.255.252
ip access-group 12 out
ip access-group 112 in
!

Assuming there are no access lists numbered 12 or 112 be sure to do a no access-list 12 and no access-list 112 to clear any other entries that may be there (obviously don't do this if those numbers are already used)

Collapse -

Access-list: block www in cisco2610

by sphynx In reply to Access-list: block www in ...
Collapse -

Access-list: block www in cisco2610

by sphynx In reply to Access-list: block www in ...

This question was closed by the author

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums