topic ACL help: Reducing an IPs access to nothing in Network Security https://community.cisco.com/t5/network-security/acl-help-reducing-an-ips-access-to-nothing/m-p/878888#M957688 <P>We have someone at a remote facility who keeps attaching his Mac to the network and it spews out several gigs of data some mornings to Mac.com.</P><P></P><P>I wanted to review if what I was doing would more or less work, though it may not be very elegant.</P><P></P><P>Basically I assign him a static DHCP lease and then I do the following:</P><P></P><P>On our ASA5520 that firewalls all internet traffic I made the following entry:</P><P></P><P>access-list inside_acl extended deny ip host 192.168.133.44 any</P><P></P><P></P><P>Also, for kicks I did the following on their MPLS router's fast ethernet interface that connects to the switch:</P><P></P><P>ip access-list extended blockmac</P><P> deny ip host 192.168.133.44 any</P><P> permit ip any any</P><P></P><P>interface FastEthernet0/0</P><P> ip access-group blockmac out</P><P> </P><P> </P><P>I don't see any hits when I do a "show access-list" for that ACL though so it makes me wonder.</P><P></P><P>Thank you for any help.</P><P></P><P></P> Wed, 13 Mar 2019 00:56:45 GMT jimgrumbles 2019-03-13T00:56:45Z ACL help: Reducing an IPs access to nothing https://community.cisco.com/t5/network-security/acl-help-reducing-an-ips-access-to-nothing/m-p/878888#M957688 <P>We have someone at a remote facility who keeps attaching his Mac to the network and it spews out several gigs of data some mornings to Mac.com.</P><P></P><P>I wanted to review if what I was doing would more or less work, though it may not be very elegant.</P><P></P><P>Basically I assign him a static DHCP lease and then I do the following:</P><P></P><P>On our ASA5520 that firewalls all internet traffic I made the following entry:</P><P></P><P>access-list inside_acl extended deny ip host 192.168.133.44 any</P><P></P><P></P><P>Also, for kicks I did the following on their MPLS router's fast ethernet interface that connects to the switch:</P><P></P><P>ip access-list extended blockmac</P><P> deny ip host 192.168.133.44 any</P><P> permit ip any any</P><P></P><P>interface FastEthernet0/0</P><P> ip access-group blockmac out</P><P> </P><P> </P><P>I don't see any hits when I do a "show access-list" for that ACL though so it makes me wonder.</P><P></P><P>Thank you for any help.</P><P></P><P></P> Wed, 13 Mar 2019 00:56:45 GMT https://community.cisco.com/t5/network-security/acl-help-reducing-an-ips-access-to-nothing/m-p/878888#M957688 jimgrumbles 2019-03-13T00:56:45Z Re: ACL help: Reducing an IPs access to nothing https://community.cisco.com/t5/network-security/acl-help-reducing-an-ips-access-to-nothing/m-p/878889#M957689 <HTML><HEAD></HEAD><BODY><P>I'm assuming that the ASA does NAT so your internet router should never see the private address. The ACL looks OK for the ASA, you just have to make sure it's high enough to actually take effect. Remember that ACLs are read from the top down so if you allow HTTP above that deny rule, he will still be able to do HTTP!</P><P></P><P>HTH and please rate.</P></BODY></HTML> Fri, 04 Jan 2008 14:27:24 GMT https://community.cisco.com/t5/network-security/acl-help-reducing-an-ips-access-to-nothing/m-p/878889#M957689 Collin Clark 2008-01-04T14:27:24Z