Use in instead of out when you apply the access-list to the interface
int vlan1
ip access-group 150 in
Main Topics
Browse All TopicsI have a network of about 20+ computers with the need to block port 80 traffic on about 5 of them. The 5 computers have static IP addresses in the 192.168.0.x subnet. I have attempted to create an access-list 150 to block 80 on 192.168.0.63 and apply it to Vlan1 but that doesnt seem to work. I dunno if im not applying the ACL in the right place or not.
The current router config runs:
NAT translation for internet access connected to Fe4
VPN Server with split tunneling for client users
VPN Point to Point connection to a remote site
Any help would be greatly appreciated!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
I made these changes:
config t
access-list 150 remark port 80 block
access-list 150 deny tcp host 192.168.0.63 any eq www
access-list 150 deny tcp host 192.168.0.64 any eq www
access-list 150 deny tcp host 192.168.0.65 any eq www
access-list 150 deny tcp host 192.168.0.66 any eq www
access-list 150 deny tcp host 192.168.0.97 any eq www
access-list 150 permit ip any any
int BVI1
ip access-group 150 in
running config changes look like:
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.0.10 255.255.255.0
ip access-group 150 in
ip nat inside
ip virtual-reassembly
!
access-list 100 remark SDM_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 150 remark port 80 block
access-list 150 deny tcp host 192.168.0.63 any eq www
access-list 150 deny tcp host 192.168.0.64 any eq www
access-list 150 deny tcp host 192.168.0.65 any eq www
access-list 150 deny tcp host 192.168.0.66 any eq www
access-list 150 deny tcp host 192.168.0.97 any eq www
access-list 150 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
WORK PERFECT! Thanks for the quick response!
Business Accounts
Answer for Membership
by: jtdebeerPosted on 2009-09-17 at 14:06:53ID: 25361090
There is a workaround.
Use GPEDIT.msc on the local machine.
Then specify a fake proxy for IE and lock the Connecitons tab. (Will not work for other browsers)
Let me know if you require more detail