• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1162
  • Last Modified:

CISCO 1841 ACCESS LIST

I HV CISCO 1841 ROUTER AND ALL CLIENT ACCESSING INTERNET USING ROUTER 192.168.1.1 AND NOW I WANT TO RESTRICT WWW PORT FOR SOME CLIENTS AND ONLY SMTP ACCESS TO ALL PC'S USING ACL. RUNNING CONFIG IS AS FOLLOWS AND ALSO ACCESS LIST I AM APPLYING AS BELOW BUT AS SOON AS I PUT ACCESS GROUP TO ANY E0/0 OR E0/1 ALL CLIENTS SMTP AND WWW PORTS BECOMES STOPPED.....PLS HELP ME TO SOLVE THE ISSUE....

sh run is.........
 
 

EMAMI_HALDIA#sh run
Building configuration...
 
Current configuration : 3648 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EMAMI_HALDIA
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 192.168.1.241 192.168.1.255
!
ip dhcp pool 192.168.1.0/24
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 203.124.20.100 203.124.16.100
!
!
ip domain name yourdomain.com
ip name-server 203.124.20.100
ip name-server 203.124.16.100
!
username cisco privilege 15 secret 5 $1$d3v5$fpiBkT01r9GsPWMy6Ue140
!
!
!
interface Tunnel499
 description ***** INTERNET TUNNEL *****
 ip address 3.3.5.78 255.255.255.252
 ip mtu 1524
 ip nat outside
 ip tcp adjust-mss 1400
 load-interval 30
 tunnel source 71.3.88.77
 tunnel destination 71.2.5.130
!
interface FastEthernet0/0
 description ***** Tulip Wan Link ****
 ip address 71.3.88.77 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description ***** Local Lan *****
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel499 name Internet
ip route 71.0.0.0 255.0.0.0 71.3.88.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool internet 203.124.21.208 203.124.21.208 netmask 255.255.255.0
ip nat inside source list 10 pool internet overload
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
 
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
end
 
EMAMI_HALDIA#

 
I want to implemet access list as below :
 

deny tcp host 192.168.1.20 any eq 80
deny tcp host 192.168.1.12 any eq 80
deny tcp host 192.168.1.15 any eq 80
deny tcp host 192.168.1.16 any eq 80
deny tcp host 192.168.1.22 any eq 80
deny tcp host 192.168.1.27 any eq 80
deny tcp host 192.168.1.28 any eq 80
deny tcp host 192.168.1.29 any eq 80
deny tcp host 192.168.1.31 any eq 80
deny tcp host 192.168.1.33 any eq 80
deny tcp host 192.168.1.34 any eq 80
deny tcp host 192.168.1.35 any eq 80
deny tcp host 192.168.1.36 any eq 80
deny tcp host 192.168.1.26 any eq 80
deny tcp host 192.168.1.19 any eq 80
deny tcp host 192.168.1.38 any eq 80
deny tcp host 192.168.1.39 any eq 80
deny tcp host 192.168.1.37 any eq 80
deny tcp host 192.168.1.41 any eq 80
deny tcp host 192.168.1.42 any eq 80
deny tcp host 192.168.1.46 any eq 80
deny tcp host 192.168.1.47 any eq 80
deny tcp host 192.168.1.48 any eq 80
deny tcp host 192.168.1.151 any eq 80
permit tcp any any
0
Subhash1979
Asked:
Subhash1979
  • 3
  • 2
  • 2
1 Solution
 
bkepfordCommented:
change last line to
permit ip any any

0
 
bkepfordCommented:
Oh and apply access-group inbound direction on internal interface
interface fastethernet 0/1
ip access-group 101 in
0
 
lrmooreCommented:
If you don't also deny https and 8080 then users will find anonymous proxies and go right around your acl.
What is it exactly that you want to restrict and how strict do you want to be?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Subhash1979Author Commented:
thnx a lot....my problem solved....i was facing problem due to only one line...that is last line...
0
 
bkepfordCommented:
Well only the bad employees :)
Good call lrmoore.
0
 
Subhash1979Author Commented:
hi irmoore.....I just want to stop internet browser and only outlook shud work on all pc's like this.....

pls provide more suggession if u have.....
0
 
lrmooreCommented:
You can permit the ones you want and deny all others, or deny each one individually, depending on how many there are.

Example to permit individually

access-list 101 permit ip host 192.168.1.11 any
access-list 101 permit ip host 192.168.1.13 any
access-list 101 permit ip host 192.168.1.14 any
access-list 101 permit ip host 192.168.1.17 any
<etc>
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 101 permit ip any any

Or deny individually.
access-list 101 deny tcp host 192.168.1.20 any eq 80
access-list 101 deny tcp host 192.168.1.22 any eq 80
access-list 101 deny tcp host 192.168.1.12 any eq 80
<etc>
access-list 101 permit ip any any

use whichever method creates the fewest lines of access-list
You realize that things like Windows updates might not work if you block browsing? How about Anti-virus updates?
Before you just start blocking people, be sure of the reasons why. Do you have an Internet Acceptable Use Policy that everyone has to read and understand? Does it spell out that a person may lose their web browsing "privilege" if they abuse it? Do you have anything in place that tells you that they do, in fact, abuse the privilege?
I mention that because what if something happens to you and your sudden replacement does not know that there are acls on the router and starts trying to troubleshoot why employeeX cannot get to the internet? He may spend hours of time trying to figure it out, not thinking to look at the acl on the router.




0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now