Link to home
Start Free TrialLog in
Avatar of Scott_Smith24
Scott_Smith24Flag for United States of America

asked on

BLOCK IP range EXtended ACL's

So I have and extended ACL's for inbound traffic on my wan interface and I want to block all incoming traffic from a range of IP's. Specifically Spotify, which uses:
78.31.8.0/21
193.182.8.0/21
95.215.60.0/22

I tried the following :
deny ip 78.31.8.0 0.0.7.255 any
deny ip 193.182.8.0 0.0.7.255
deny ip 95.215.60.0 0.0.3.255 any
It doesn't seem to be working. What am I missing?
Avatar of Nico Eisma
Nico Eisma
Flag of Philippines image

Traffic is initiated internally as users will access the service out towards the internet, my suggestion do the filtering on the internal interface rather than the external interface.
Avatar of Scott_Smith24

ASKER

So how do I do that?
ASKER CERTIFIED SOLUTION
Avatar of Nico Eisma
Nico Eisma
Flag of Philippines image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So here is what my internal interface looks like
interface GigabitEthernet0/1
 description Internal Network$FW_INSIDE$
 ip address 10.110.110.1 255.255.255.0
 ip access-group internal_filter in
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

And the newly formed access list

ip access-list extended internal_filter
 deny   ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
 deny   ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
 deny   ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
 permit ip any any

and a "sh access list"
Extended IP access list internal_filter
    10 deny ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
    20 deny ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
    30 deny ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
    40 permit ip any any (601589 matches)

But Im  getting nothing it doest seem to be blocking the range of IPs
Now I have 4 vlans but the computer Im testing with is on the 10.110.110.0 network
It seems that Spotify has a lot of IP ranges

http://bgp.he.net/search?search[search]=Spotify&commit=Search
User generated imageOther forums mentioned about some other IP ranges as well that they blocked.
193.235.232.0/22
194.68.28.0/22
http://serverfault.com/questions/358735/how-can-i-block-spotify-on-our-company-network
https://support.cipafilter.com/index.php?/Knowledgebase/Article/View/146/27/spotify---how-to-block

I wouldn't suggest to just go outright and block all the IP ranges without careful consideration first. What I can suggest:
Do a packet capture test first to identify which IP range spotify is connecting to based on your region. Tools like CurrPorts and wireshark can be used to do a packet capture. Based from your "show access list", nobody is hitting those subnet, so most likely you are reaching spotify through other IP range.
User generated imagehttp://www.nirsoft.net/utils/cports.html
Block the application in the host PC GPO.
That worked I also used little snitch to see exactly what Spotify was using and was able to find the IP range that way.
Great! Glad you were able to accomplish your task and congratulations!