topic This could be the ACL to only in Network Security

Block an Outside Network with ACL

c.shinneman1 — Sun, 10 Mar 2019 13:32:33 GMT

So, my router has been submitting Syslog entries regarding IDS Evasion attempts.

How do I write an ACL that blocks ALL traffic to and/or from this Network:

NetRange: 23.32.0.0 - 23.67.255.255
CIDR: 23.64.0.0/14, 23.32.0.0/11

I am new to ACLs and am still in school for Cisco. So bare with me. We haven't covered much about ACLs yet.

Thanks a ton!

chris

This could be the ACL to only

Karsten Iwen — Wed, 13 Jan 2016 11:07:39 GMT

This could be the ACL to only block these two networks and allow the rest. You probably want to google the term "wildcard-mask" which is an inverse netmask:

ip access-list extended OUTSIDE-IN
  deny ip 23.32.0.0 0.31.255.255 any
  deny ip 23.64.0.0 0.3.255.255 any
  permit ip any any

The ACL has to be applied to the outside interface in incoming direction:

interface gig 0/0
  description Your public interface
  ip access-group OUTSIDE-IN in

Awesome! Thanks! I know

c.shinneman1 — Fri, 15 Jan 2016 15:13:43 GMT

Awesome! Thanks! I know about the Wildcard-mask. I just couldn't get the ACL to work with the way I was writing it. It would end up blocking ALL traffic in or out and I would lose internet access all together. Not sure what I was doing wrong.

I was writing something along the lines of this:

deny ip any host 23.32.0.00.31.255.255

And then I was applying that to G0/0 in

Always be aware of the

Karsten Iwen — Fri, 15 Jan 2016 16:41:09 GMT

Always be aware of the implicit "deny ip any any" ACE. If you only have deny lines in your ACL, then every traffic is denied.