Solved

How to restrict access to certain web sites

Posted on 2007-12-05
18
1,902 Views
Last Modified: 2010-04-21
Hi There,
I have a cisco 2811 router. I have a dsl and the cisco router is confirgured for intranet and internet connection.
I would like to know how I could configure the cisco 2811 router to restrict access to certain web sites so users wont be able to go to those web sites.
I will appreciate any help on this.
Thanks
0
Comment
Question by:Sivasan
  • 7
  • 7
  • 4
18 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 20448207
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20449322
What version IOS and feature set do you have on the 2811?
Generally speaking, you cannot block web sites, you can only block IP addresses, so you have to manually determine all the possible IP addresses of all the sites that you want to block.
0
 

Author Comment

by:Sivasan
ID: 20474640
Hi lrmoore to give you an over all picture. We have three 2811 cisco router at each office locations and one cisco 831 router at home. The 3- 2811 are on Sprint  T1.we use it for intranet.

I want to put the block on one of the 2811 ( the host)     and on the cisco 831 thats at home. Since the internet dsl router just act as bridge, I can only put the block on the cisco routers.
I have enclosed the version for  both the 2811 and 831 we have. I have also enclosed the configuration on both 2811 and 831 on which Im trying to make the block.

I found an article from link below I did add deny to all the Ip address of the website I want to block on the ACL list but that didnt work ( this article had asked me to apply the ACL in the OUTBOUND direction on the router- I didnt do this since I already had the ACl established, I assume I dont have to do this.

http://www.bluegoosesystems.co.uk/rsstatic_console/cms/article.php?title=Block_access_to_a_Web_site_using_the_Cisco_IOS
Will appreciate any help

For MY CISCo 2811 router

Cis-2811#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(4)T2
, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 22-Feb-06 16:37 by ccai

ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
2 FastEthernet interfaces
2 Serial interfaces
2 Channelized T1/PRI ports
2 Virtual Private Network (VPN) Modules
6 Voice E & M interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62592K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
---------------------------------------------------------------------------------------------------
Configuration on my 2811 router

no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 description $ETH-WAN$INTERNET$FW_OUTSIDE$
 ip address 6x.x.x.x 255.255.255.252
 ip access-group 108 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/0/0:0
 description Frame Relay Circuit 1 from Sprint Link
 no ip address
 encapsulation frame-relay MFR1
 no arp frame-relay
!
interface Serial0/0/1:0
 description Frame Relay Circuit 2 from Sprint Link
 no ip address
 encapsulation frame-relay MFR1
 no arp frame-relay
!
router eigrp 10
 network 10.0.1.1 0.0.0.0
 network 10.x.x.0 0.0.0.255
 network 10.10.x.0 0.0.0.255
 network 192.x.x.0 0.0.0.3
 network 192.x.x.4 0.0.0.3
 network 10.25.x.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 6x.x.x.x
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat pool mypool2 6x.x.x.x  x.x.x.x9 netmask 255.255.255.252
ip nat inside source list 1 pool mypool2 overload
ip nat inside source static tcp 10.25.x.x  25 6x.x.x.x  25 extendable
ip nat inside source static tcp 10.25.x.x 3389 6x.x.x.x 3389 extendabl
e
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 10.25.x.0 0.0.0.255
access-list 2 permit 6x.x.x.x
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.x.x.0 0.0.0.3
access-list 2 permit 192.x.x.4 0.0.0.3
access-list 2 permit 10.10.x.0 0.0.0.255
access-list 2 permit 10.25.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 permit ip 10.25.x.0 0.0.0.255 any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip host 10.25.x.x any
access-list 103 deny   tcp 10.25.x.0 0.0.0.255 any eq smtp
access-list 103 deny   udp 10.25.x.0 0.0.0.255 any eq 25
access-list 103 deny   ip 192.x.x.0 0.0.0.3 any
access-list 103 deny   ip 192.x.x.4 0.0.0.3 any
access-list 103 deny   ip 10.10.x.0 0.0.0.255 any
access-list 103 deny   ip 6x.x.x.x 0.0.0.3 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 192.x.1.0 0.0.0.3 any
access-list 104 deny   ip 10.10.x.0 0.0.0.255 any
access-list 104 deny   ip 6x.x.x.x 0.0.0.3 any
access-list 104 deny   ip 10.x.x.0 0.0.0.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 deny   ip 192.168.1.4 0.0.0.3 any
access-list 106 deny   ip 10.10.x.0 0.0.0.255 any
access-list 106 deny   ip 6x.x.x.x 0.0.0.3 any
access-list 106 deny   ip 10.25.x.0 0.0.0.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 deny   ip 192.x.1.0 0.0.0.3 any
access-list 107 deny   ip 192.x.1.4 0.0.0.3 any
access-list 107 deny   ip 6x.x.x.x 0.0.0.3 any
access-list 107 deny   ip 10.25.x.0 0.0.0.255 any
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 permit udp any host 6x.x.x.x eq non500-isakmp
access-list 108 permit udp any host 6x.x.x.x eq isakmp
access-list 108 permit esp any host 6x.x.x.x
access-list 108 permit ahp any host 6x.x.x.x
access-list 108 permit gre any host 6x.x.x.x
access-list 108 deny   ip 192.x.1.0 0.0.0.3 any
access-list 108 deny   ip 192.x.1.4 0.0.0.3 any
access-list 108 deny   ip 10.10.x.0 0.0.0.255 any
access-list 108 deny   ip 10.25.x.0 0.0.0.255 any
access-list 108 permit tcp any host 6x.x.x.x eq smtp
access-list 108 permit tcp any host 6x.x.x.x eq 3389
access-list 108 permit tcp any host 6x.x.x.x eq www
access-list 108 permit tcp any host 6x.x.x.x eq www
access-list 108 permit icmp any host 6x.x.x.x echo
access-list 108 permit icmp any host 6x.x.x.x echo-reply
access-list 108 permit icmp any host 6x.x.x.x time-exceeded
access-list 108 permit icmp any host 6x.x.x.x unreachable
access-list 108 deny   ip 10.0.0.0 0.255.255.255 any
access-list 108 deny   ip 17x.x.0.0 0.15.255.255 any
access-list 108 deny   ip 192.168.0.0 0.0.255.255 any
access-list 108 deny   ip 127.0.0.0 0.255.255.255 any
access-list 108 deny   ip host 255.255.255.255 any
access-list 108 deny   ip host 0.0.0.0 any
access-list 109 remark VTY Access-class list
access-list 109 remark SDM_ACL Category=1
access-list 109 permit ip 192.168.1.0 0.0.0.3 any
access-list 109 permit ip 192.168.1.4 0.0.0.3 any
access-list 109 permit ip 10.10.x.0 0.0.0.255 any
access-list 109 permit ip 10.25.x.0 0.0.0.255 any
access-list 109 permit tcp host 6x.x.x.x any
access-list 109 deny   ip any any
access-list 110 deny   ip 192.168.1.0 0.0.0.3 any log
access-list 110 permit ip any any
access-list 111 deny   ip 192.168.1.4 0.0.0.3 any
access-list 111 permit ip any any
no cdp run
!
!
!
!
control-plane
!
!
!
voice-port 0/1/0
 operation 4-wire
 type 2
 echo-cancel coverage 32
!
voice-port 0/1/1
 operation 4-wire
 type 2
 echo-cancel coverage 32
!
voice-port 0/2/0
 operation 4-wire
 type 2
 echo-cancel coverage 32
!
voice-port 0/2/1
 operation 4-wire
 type 2
 echo-cancel coverage 32
!
voice-port 0/3/0
 operation 4-wire
 type 2
 echo-cancel coverage 32
!
voice-port 0/3/1
 operation 4-wire
 type 2
 echo-cancel coverage 32
!
!
!
!
!
dial-peer voice 71 voip
 destination-pattern 1..
 session target ipv4:192.168.1.2
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 63 voip
 destination-pattern 3..
 session target ipv4:192.168.1.6
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 1 pots
 preference 1
 destination-pattern 2..
 port 0/1/0
 forward-digits all
!
dial-peer voice 2 pots
 preference 2
 destination-pattern 2..
 port 0/1/1
 forward-digits all
!
dial-peer voice 3 pots
 preference 3
 destination-pattern 2..
 port 0/2/0
 forward-digits all
!
dial-peer voice 4 pots
 preference 4
 destination-pattern 2..
 port 0/2/1
 forward-digits all
!
dial-peer voice 5 pots
 preference 5
 destination-pattern 2..
 port 0/3/0
 forward-digits all
!
dial-peer voice 6 pots
 preference 6
 destination-pattern 2..
 port 0/3/1
 forward-digits all
!
!
!
banner login ^C
    ^C
!
line con 0
 transport output telnet
line aux 0
 modem Dialin
 modem autoconfigure type cisco_v110
 transport input all
 transport output telnet
 speed 300
line vty 0 4
 access-class 109 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 109 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Cis-2811#



Home router  - cisco 831


Mevpn128#show version
Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.4(4)T2, RELEASE S
OFTWARE (fc1)
mevpn128 uptime is 1 week, 4 days, 13 hours, 5 minutes
System returned to ROM by power-on
System image file is "flash:c831-k9o3sy6-mz.124-4.T2.bin"



Cisco C831 (MPC857DSL) processor (revision 0x500) with 58983K/6553K bytes of mem
ory.
Processor board ID FOC09083ANY (300397737), with hardware revision 0000
CPU rev number 7
3 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

Configuration on Home router- Cisco 831


mevpn128#show run
Building configuration...

Current configuration : 7806 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname mevpn128
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
no logging buffered
enable secret 5 $1$b9rs$O1aE0U95kGucorWdjDWEA1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.x.x 10.10.x.254
ip dhcp excluded-address 10.10.x.1 10.10.x.10
!
ip dhcp pool client
   import all
   network 10.10.x.0 255.255.255.0
   default-router 10.10.x.x
   dns-server 10.25.0.0 6x.x.x.x
   netbios-name-server 10.25.x.x
!
!
ip tcp synwait-time 10
ip cef
ip domain name xyz.com
ip name-server 2xx.x.xxx.222        // Added some name server per article
ip name-server 2xx.x.x.xxx
ip name-server x.x.x.x
no ip bootp server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-300397737
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-300397737
 revocation-check none
 rsakeypair TP-self-signed-300397737
!
!
crypto pki certificate chain TP-self-signed-300397737
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303033 39373733 37301E17 0D303230 33303330 34313531
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3330 30333937
  37333730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A0BCB97B D30A5F7C 3F2EDD32 57DAD64D 6BA3CCCA AF450D5D 18D02697 F6247C33
  49E7AAEF 6131E7CE BFFFE847 717EEC84 C50E9BCE 0ABB32BA 754F2DE9 98EA489F
  05AE7793 3A583A6D 05B3A21C 7BBD1BCB 98A4CC13 A9CEB584 1AA7EB54 A805B0E9
  2A95DD34 21D4847D 3E20F4EB E9BFC32E D075C26D 5244983D C9A86F94 A957B841
  02030100 01A37F30 7D300F06 03551D13 0101FF04 05300301 01FF302A 0603551D
  11042330 21821F6D 6576706E 3132382E 6D657272 69636B65 6E67696E 65657269
  6E672E63 6F6D301F 0603551D 23041830 16801445 277B6E2C A9C57993 6DEE2DCC
  2A0497B6 4AEE6030 1D060355 1D0E0416 04144527 7B6E2CA9 C579936D EE2DCC2A
  0497B64A EE60300D 06092A86 4886F70D 01010405 00038181 0050AC03 056CF7F6
  E02865A0 B7FD88A0 7B8E11C2 11D20FA5 E7533927 C1032FBE AF5B6D15 2AA9D80D
  F95DDBBC 8B093327 88AB83B2 3F407619 BFB2443A 710C14ED AB8E75D2 3F97FB3C
  0C557B2E 9B03C8DB 8EEA92FF 65753669 1231BA8C 651BF9B4 F16DE2BF C8176571
  D2960E2F B82D3756 B2C29AF8 2C130D7B 5D1F449C 7D606D5E 51
  quit
username m3rr1ck secret 5 $1$XJ1K$kIi.WT.nfr/3YJupfkvV70
username gcti privilege 15 password 7 000310120D5C081206
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key phonehome address 6x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
!
!
!
!
!
interface Tunnel0
 bandwidth 1000
 ip address 10.10.x.x 255.255.255.0
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 10.10.x.x 6x.x.x.x
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 10.10.x.x
 ip nhrp registration no-unique
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Ethernet1
 tunnel destination 6x.x.x.x
 tunnel key 100000
 tunnel protection ipsec profile SDM_Profile1
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 10.10.x.x 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 no cdp enable
!
interface Ethernet1
 description $FW_OUTSIDE$
 ip address dhcp client-id Ethernet1
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 no cdp enable
!
interface Ethernet2
 no ip address
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
router eigrp 10
 network 10.10.x.x 0.0.0.255
 network 10.10.x.0 0.0.0.255
 no auto-summary
!
ip classless
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
ip nat inside source list 19 interface Ethernet1 overload
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.10.x.0 0.0.0.255
access-list 1 permit any
access-list 1 deny   any
access-list 19 remark Allow Inside
access-list 19 remark SDM_ACL Category=2
access-list 19 permit 10.10.x.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 6x.x.x.x any eq non500-isakmp
access-list 101 permit udp host 6x.x.x.x any eq isakmp
access-list 101 permit esp host 6x.x.x.x any
access-list 101 permit ahp host 6x.x.x.x any
access-list 101 permit gre host 6x.x.x.x any
access-list 101 deny   ip 10.10.x.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 6x.1x.x.x any eq 22
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip x.x.0.0 0.x.255.255 any
access-list 101 deny   ip x.x.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
access-list 101 deny   tcp any host x.x.x.16 eq www      //   THIS IS WHAT IM  
                                                                                                  BLOCKING
access-list 101 deny   tcp any host x.x.x.15 eq www
access-list 101 deny   tcp any host x.x.x.131 eq www
access-list 101 deny   tcp any host x.x.x.129 eq www
access-list 101 deny   tcp any host x.x.x.130 eq www
access-list 101 deny   tcp any host x.x.x.74 eq www
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.x.0 0.0.0.255 any
access-list 102 permit ip any any
access-list 102 deny   ip any any
no cdp run
!
!
control-plane
!
banner login ^CYou have accessed a Private Network. All activity is being logged
.^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 102 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20474852
>access-list 101 deny   tcp any host x.x.x.16 eq www      //   THIS IS WHAT IM  
                                                                                                  BLOCKING

Then I would put it into access-list 100, not 101
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   tcp any host x.x.x.16 eq www
access-list 100 deny   tcp any host <badhost> eq www
access-list 100 permit ip any any
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20474967
I think you have to do as the article apparently says and apply it as an outbound ACL - I don't know about your particular router/firewall, but plenty of stateful firewalls assume that if you apply it on the inbound, you still want to be able to initiate connections outbound (once an outbound connection is established, it permits inbound packets associated with the outbound connection).

Cheers,
-Jon
0
 

Author Comment

by:Sivasan
ID: 20475010
Hi Irmoorne,
Thanks I shall try this. Would you happend to know the command to copy the existing image to the pc and the command to and upload the corrected config back to the router.
When I do it from the comman promt, the entry I make the deny goes below the permit ip any any, so
want to bring it to notepad correct and load again.
Thanks for all ur help.
 
0
 

Author Comment

by:Sivasan
ID: 20475583
Trying to use that command to apply to out, but I'm unable to use
config-if command
i'm trying
mev> config then
mev(config)# int ethernet0  then I press ctrl z
then i try on mev# config-if    but there is no command
please advice
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20475679
There is no config-if command...
Try this. Copy/paste this into notepad. Save it as a text file and anytime you need to add/change another host, edit this text file...
-------------------------------------------------------------------------

interface Ethernet0
 no ip access-group 100 in

no access-list 100
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   tcp any host x.x.x.16 eq www
access-list 100 permit ip any any

interface Ethernet0
 ip access-group 100 in

end
write mem

-------------------------------------------------
Once you have it edited, in notepad, Edit/Select all | Copy
Connect to the router:
mev>enable
Password:
mev#config term
mev(config)# <right-click and select Paste to host>
mev#
[OK]
mev#

Done!

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20476593
>Hi Irmoorne,
>Thanks I shall try this

Actually, if you're talking about trying the ACL on the outbound, it was I, The-Captain that advised that you go along with the article.

lrmoore - I'm no cisco guru, but I play around with firewalls enough - do you think my statement was kosher about the necessity of applying the ACL to outbound traffic - just wanted some confirmation that I'm not crazy, and that this might also be the way cisco gear handles things.

Sivasan - my initial comment about the PAQ was intended to get you to read old questions and perhaps realize that it may not be as simple as blocking IP addresses, depending on the knowledgeability of your users.

Cheers,
-Jon
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 79

Expert Comment

by:lrmoore
ID: 20478695
Jon,
In the Cisco world, we typically put the access-list closest to the source of the packet.
With an "in" acl on the LAN interface, the packet never even gets into the router to be processed. If applied "out" then the packet has to be let in, inspected,  route looked up, natted, and then decide it can't be let out.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 20479016
I don't mean to distract from the thrust of this thread, but I was under the impression that almost *all* stateful firewalls allowed packets through if they are associated with an connection/flow whose initiation was allowed by the firewall rules.  You can tell I don't deal with cisco much if I didn't know they were a rather large exception to my thinking (you *are* saying that cisco doesn't work like that, right?)

In any case, if it doesn't matter where he's applying the ACL (inbound or outbound), then how to proceed...?

Cheers,
-Jon
0
 

Author Comment

by:Sivasan
ID: 20479926
So does this mean I don't have to apply the out? Please advice. I'm not very familiar with this, so I'm finding it hard to follow here.
Thanks a million for taking all the time to respond.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20480571
Sorry to have confused you.
Apply it "in" exactly as I have demonstrated above.
0
 

Author Comment

by:Sivasan
ID: 20481498
Hi Irmoore,
Thanks for your response, I already had in my configuration
interface Ethernet0
 no ip access-group 100 in
bla bla
and I have added the deny to access-group 100, so do I still do what you have instructed? Sorry I'm bugging you with too many question I guess..
Please see below the part of my configuration, I have right now.
 interface Ethernet0
 description $FW_INSIDE$
 ip address 10.10.x.x 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 no cdp enable
!
interface Ethernet1
 description $FW_OUTSIDE$
 ip address dhcp client-id Ethernet1
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 no cdp enable
!
...... lot of other entry then...

ip nat inside source list 19 interface Ethernet1 overload
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.10.x.0 0.0.0.255
access-list 1 permit any
access-list 1 deny   any
access-list 19 remark Allow Inside
access-list 19 remark SDM_ACL Category=2
access-list 19 permit 10.10.x.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny   tcp any host x.x.x.16 eq www      This is what I added.
access-list 100 deny   tcp any host x.x.39.x eq www
access-list 100 deny   tcp any host x.x.x.74 eq www
access-list 100 deny   tcp any host x.x.x.x eq www

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 6x.x.x.x any eq non500-isakmp
access-list 101 permit udp host 6x.x.x.x any eq isakmp
access-list 101 permit esp host 6x.x.x.x any
access-list 101 permit ahp host 6x.x.x.x any
access-list 101 permit gre host 6x.x.x.x any
access-list 101 deny   ip 10.10.x.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp host 6x.1.x.x any eq 22
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
access-list 101 deny   tcp any host x.x.x.16 eq www
access-list 101 deny   tcp any host x.x.x.15 eq www
access-list 101 deny   tcp any host x.x.x.31 eq www
access-list 101 deny   tcp any host x.x.x.1 eq www

access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.x.0 0.0.0.255 any
access-list 102 permit ip any any
access-list 102 deny   ip any any
no cdp run
!
!
control-plane

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 20481721
No, it won't work the way you have it.

access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any  <<=== this line negates all lines below

access-list 100 deny   tcp any host x.x.x.16 eq www      This is what I added.
access-list 100 deny   tcp any host x.x.39.x eq www
access-list 100 deny   tcp any host x.x.x.74 eq www
access-list 100 deny   tcp any host x.x.x.x eq www

You must take a multi-step approach just exactly as I demonstrated in the script above.
1. Remove the existing acl from the interface (to be re-applied later)
2. Delete the access-list completely
3. re-create the access-list in its entirety adding the lines you need in the order they need to be in
4. re-apply the acl to the interface.

0
 

Author Comment

by:Sivasan
ID: 20494977
Hey Irmoore,
Worked Greatttt, Thanks a million. You are Genius.Thanks for guiding so well by giving clear instruction.
I'm actually now doing it on one of the router at work. The router at home I did already and works great.

Now for my office router, Please find the interface below
 FE 0/1 is the place where I have my cat 5 cable from my internet
FE 0/0 is the place where I have the cable for my LAn
the interface are seen below. So I should apply the access list for FastEthernet0/0
in this case? am I right. Please advice.



interface FastEthernet0/0
 description $ETH-LAN$LAN$FW_INSIDE$
 ip address 10.25.x.x 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 description $ETH-WAN$INTERNET$FW_OUTSIDE$
 ip address 6x.x.x.x 255.255.255.252
 ip access-group 108 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
0
 

Author Closing Comment

by:Sivasan
ID: 31412999
Great solution. Thanks a million for the clear step by step instruction.
You have been a great help.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20495104
Yes, you are correct. Apply it to fast 0/0 "in"
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now