• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

ACL question

T

the

Weaksauce
Joined
Dec 15, 2005
Messages
67
hey guys,

Im getting ready to put up a full ACL here at our company, and am looking at doing this over the next coupla weeks, however, i just had a manager request i deny all web access to a computer that his subordinates are taking advantage of. as far as i know this will be the only PC in the company blocked to web access, everyone else im just gonna block certain services etc to compliment our firewalls rules, and stop unneeded inter Vlan communication.

my question is, can i right now block web access to that one host? if so what syntax would i be looking at to do so?

thanks for any and all help.
 
You should be able to.

You're probably using implicit deny, and so you've probably got something like this:

Code: 
permit tcp any any eq 80
(lots of others based on what services you need)
deny all

Really, all you need to do is add a deny statement for the host (let's say it 192.168.1.50) that you want to disallow www service to, and it probably needs to go before the permit statement for www traffic. Something like

Code: 
deny tcp 192.168.1.50 0.0.0.255 any eq 80
permit tcp any any eq 80
(lots of others based on what services you need)
deny all

I believe that should do it, hopefully someone else can chime in and confirm for me.

edit: finally, jesus
 
thanks for hte reply,

as it sits i dont have any access lists at all, so i assume i want this to be an extended one? (100 or greater?) and then apply it to the vlan that that specific ip is on?
 
Doliviss said:
Code: 
deny tcp 192.168.1.50 0.0.0.255 any eq 80
permit tcp any any eq 80
(lots of others based on what services you need)
deny all
Click to expand...

That would actually deny traffic to any host falling in the 192.168.1.x subnet. To block it for that specific host, use:

Code: 
access-list 101 deny tcp host 192.168.1.50 any eq 80
access-list 101 permit tcp any any eq 80
 
that's funny, i apply to rules to see my entier subnet get blocked, and jsut come back from the server room removing that rule and see your post boscoh. good times.


round 2 FITE.
 
well that didn;t work either, i ran your lines boscoh only to deny all traffic what so ever to the specific address i put it on, except on its subnet (i could communicate with hosts on its subnet, but not wiht hosts on other vlans, or the intenet on any protocol). so im thinking the last line needs to end with a permit all?

maybe its the way i applied it, i applied it to the sub interface that is the vlan for the subnet on wich lies the ip we;re trying to deny web traffic to. i used:

ip access-group 101 in

should i use out instead?
 
ok i got it, using out instead of in seemed to work, i'll have to look up the differneces in a bit.

thanks for all the halp guys.

luv u bunches <3
 
Boscoh said:
That would actually deny traffic to any host falling in the 192.168.1.x subnet. To block it for that specific host, use:

Code: 
access-list 101 deny tcp host 192.168.1.50 any eq 80
access-list 101 permit tcp any any eq 80
Click to expand...

Ah, I knew something didn't seem quite right. Thanks for the clarification.
 
well mabei dont have it figured out. in my tet it seemed to work, i could do everything but surf, i just applied it to the pc i wanted it on, and he can do nothing. no access to files shares or anything, however he can ping his subnet. what am i missing? code is as follows

Code: 
interface FastEthernet0/1.5
 description Production
 encapsulation dot1Q 6
 ip address 192.168.50.1 255.255.255.0
 ip access-group 101 out


access-list 101 deny   tcp host 192.168.50.89 any eq www
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any  (i added this line just now to no avail)

this is the only access list configured on the router. i added the 3rd assuming al access lists end with a deny all, but it didnt seem to help any. any suggestions?
 
VeeDubbs said:
Do you want to do permit ip any any at the end?
Click to expand...

i dont know, do i?

all i want is to allow full access to everything (like it is right now) and block one host from the web. that's it. in 2 or 3 weeks when i do some real reading i'll set up soem acl's worht a darn to compliment our firewall, right now i just have a request to deny http traffic from a single host. that is all my goal is. allow 192.168.50.22 to talk to everything except port 80.
 
allright SWEET

veedubs ftw

final and working is this

Code: 
interface FastEthernet0/1.5
 description Production
 encapsulation dot1Q 6
 ip address 192.168.50.1 255.255.255.0
 ip access-group 101 in
 ip access-group 101 out

access-list 101 deny   tcp host 192.168.50.22 any eq www
access-list 101 permit tcp any any eq www
access-list 101 permit ip any any

thnx again for all the help yous guys. yall rock. and roll. all night long.
 
You must log in or register to reply here.
Back
Top