asked on BLOCK IP range EXtended ACL's
So I have and extended ACL's for inbound traffic on my wan interface and I want to block all incoming traffic from a range of IP's. Specifically Spotify, which uses:
78.31.8.0/21
193.182.8.0/21
95.215.60.0/22
I tried the following :
deny ip 78.31.8.0 0.0.7.255 any
deny ip 193.182.8.0 0.0.7.255
deny ip 95.215.60.0 0.0.3.255 any
It doesn't seem to be working. What am I missing?
78.31.8.0/21
193.182.8.0/21
95.215.60.0/22
I tried the following :
deny ip 78.31.8.0 0.0.7.255 any
deny ip 193.182.8.0 0.0.7.255
deny ip 95.215.60.0 0.0.3.255 any
It doesn't seem to be working. What am I missing?
CiscoRoutersSoftware Firewalls
Last Comment
Nico Eisma
Traffic is initiated internally as users will access the service out towards the internet, my suggestion do the filtering on the internal interface rather than the external interface.
ASKER
So how do I do that?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
So here is what my internal interface looks like
interface GigabitEthernet0/1
description Internal Network$FW_INSIDE$
ip address 10.110.110.1 255.255.255.0
ip access-group internal_filter in
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
And the newly formed access list
ip access-list extended internal_filter
deny ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
deny ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
deny ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
permit ip any any
and a "sh access list"
Extended IP access list internal_filter
10 deny ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
20 deny ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
30 deny ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
40 permit ip any any (601589 matches)
But Im getting nothing it doest seem to be blocking the range of IPs
Now I have 4 vlans but the computer Im testing with is on the 10.110.110.0 network
interface GigabitEthernet0/1
description Internal Network$FW_INSIDE$
ip address 10.110.110.1 255.255.255.0
ip access-group internal_filter in
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
And the newly formed access list
ip access-list extended internal_filter
deny ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
deny ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
deny ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
permit ip any any
and a "sh access list"
Extended IP access list internal_filter
10 deny ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
20 deny ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
30 deny ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
40 permit ip any any (601589 matches)
But Im getting nothing it doest seem to be blocking the range of IPs
Now I have 4 vlans but the computer Im testing with is on the 10.110.110.0 network
It seems that Spotify has a lot of IP ranges
http://bgp.he.net/search?search[search]=Spotify&commit=Se
![Spotify IP ranges]()
Other forums mentioned about some other IP ranges as well that they blocked.
https://support.cipafilter.com/index.php?/Knowledgebase/Article/View/146/27/spotify---how-to-block
I wouldn't suggest to just go outright and block all the IP ranges without careful consideration first. What I can suggest:
![Currports tool screenshot]()
http://www.nirsoft.net/utils/cports.html
http://bgp.he.net/search?search[search]=Spotify&commit=Se
Other forums mentioned about some other IP ranges as well that they blocked.
193.235.232.0/22
194.68.28.0/22
http://serverfault.com/questions/358735/how-can-i-block-spotify-on-our-company-networkhttps://support.cipafilter.com/index.php?/Knowledgebase/Article/View/146/27/spotify---how-to-block
I wouldn't suggest to just go outright and block all the IP ranges without careful consideration first. What I can suggest:
Do a packet capture test first to identify which IP range spotify is connecting to based on your region. Tools like CurrPorts and wireshark can be used to do a packet capture. Based from your "show access list", nobody is hitting those subnet, so most likely you are reaching spotify through other IP range.
http://www.nirsoft.net/utils/cports.html
Block the application in the host PC GPO.
ASKER
That worked I also used little snitch to see exactly what Spotify was using and was able to find the IP range that way.
Great! Glad you were able to accomplish your task and congratulations!