Solved

Access List Issues

Posted on 2008-06-23
2
182 Views
Last Modified: 2010-04-12
Hey everyone. I'm having an issue with writing an ACL to stop 13 specific machines from having access outside of our LAN, most importantly the internet. I've tried writing up an acl as a host and blocking it:

access-list 101 deny tcp host 172.25.X.X eq 80 any eq 80

which didnt work. I have also tried doing it as just

access-list 101 deny tcp 172.25.X.X 0.0.0.255 eq www any

which again didnt work. The access-group is being applied to in on fa0. There are only two static routes on the router. One is between sites over a t1 and the other moves all off LAN traffic to another router for internet traffic:

other site (172.25.x.x 255.255.255.0 192.168.X.X)
internet (0.0.0.0 0.0.0.0 172.25.X.X)

Anyone have any ideas?
0
Comment
Question by:skitechnh
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21846064
You are trying to block outbound access from these machines to the Internet on port 80 only?  Is the fa0 interface connected to the Internet router?  If so, apply this access-list outbound:

conf t
ip access-list ext 150
deny tcp host 172.25.x.x any eq 80   <-first host
deny tcp host 172.25.x.x any eq 80   <-second host
deny tcp host 172.25.x.x any eq 80   <-third host
...<hosts 4-13>
permit ip any any

int fa0
ip access-group 150 out
0
 

Author Comment

by:skitechnh
ID: 21846367
Fantastic thank you!
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question