topic Re: Restricting some of my internal hosts from accessin internet in Network Security

Restricting some of my internal hosts from accessin internet

obafemiboye — Mon, 11 Mar 2019 15:27:11 GMT

I will be glad if you can help me to compose an access list to block some address in my LAN (172.16.0.0/24). I want 172.16.0.1-172.16.0.65 to browse the internet and exclude all other address.

Re: Restricting some of my internal hosts from accessin internet

acomiskey — Mon, 04 May 2009 16:12:09 GMT

What device? Assuming ASA...only did www, but you can add https etc. or do ip instead of tcp etc.

access-list inside extended permit tcp 172.16.0.0 255.255.255.192 any eq www

access-list inside extended permit tcp host 172.16.0.64 any eq www

access-list inside extended permit tcp host 172.16.0.65 any eq www

access-list inside extended deny tcp any any eq www

access-group inside in interface inside

Re: Restricting some of my internal hosts from accessin internet

John Blakley — Mon, 04 May 2009 16:19:48 GMT

Since your acl would have to be split because of the range that you need to give, you could put all 64 addresses in an object group and then allow just that object group to the internet:

object-group network WEB

network host 172.16.0.0 255.255.255.192

network host 172.16.0.62

network host 172.16.0.63

network host 172.16.0.64

network host 172.16.0.65

access-list WEB permit tcp object-group WEB any eq 80

HTH,

John

Re: Restricting some of my internal hosts from accessin internet

obafemiboye — Tue, 05 May 2009 09:22:37 GMT

thanks for your reply.. Pls how do i insert the command : object-group network WEB. thanks for you kind reply

Re: Restricting some of my internal hosts from accessin internet

obafemiboye — Tue, 05 May 2009 10:30:29 GMT

Thanks for kind reply. I still cant get it working! My Router is 2821. Pls find attached a copy of my ''Show run'' and analysed this for me. Thanks once again for your time.

Re: Restricting some of my internal hosts from accessin internet

John Blakley — Tue, 05 May 2009 10:38:37 GMT

You don't have your access-list applied to an interface.

Create your access-list and apply like this:

ip access-list extended BLOCKWWW

permit tcp 172.16.0.0 255.255.255.192 any eq www

permit tcp host 172.16.0.64 any eq www

permit tcp host 172.16.0.65 any eq www

deny tcp any any eq www

permit ip any any

int g0/0

ip access-group BLOCKWWW in

This will only allow traffic to the web for the hosts you specified. It will allow everything else out.

HTH,

John

Re: Restricting some of my internal hosts from accessin internet

John Blakley — Tue, 05 May 2009 10:40:37 GMT

I gave you a config for an ASA. Object groups don't exist under routers that I'm aware of 😃

John

Re: Restricting some of my internal hosts from accessin internet

obafemiboye — Wed, 06 May 2009 07:38:05 GMT

Thanks so much,John. The Named-ACL works perfectly for my network. I really appreciate your effort. GOD bless

Re: Restricting some of my internal hosts from accessin internet

Jon Marshall — Wed, 06 May 2009 08:06:20 GMT

John

Just for your info object-groups are now supported on IOS with a minimum of 12.4(20)T.

I haven't tried them out though so not sure how close they are to ASA/Pix object-groups.

Jon