Solved: Always be aware of the

c.shinneman1 · ‎01-12-2016

So, my router has been submitting Syslog entries regarding IDS Evasion attempts.

How do I write an ACL that blocks ALL traffic to and/or from this Network:

NetRange: 23.32.0.0 - 23.67.255.255
CIDR: 23.64.0.0/14, 23.32.0.0/11

I am new to ACLs and am still in school for Cisco. So bare with me. We haven't covered much about ACLs yet.

Thanks a ton!

chris

Karsten Iwen · ‎01-13-2016

This could be the ACL to only block these two networks and allow the rest. You probably want to google the term "wildcard-mask" which is an inverse netmask:

ip access-list extended OUTSIDE-IN
  deny ip 23.32.0.0 0.31.255.255 any
  deny ip 23.64.0.0 0.3.255.255 any
  permit ip any any

The ACL has to be applied to the outside interface in incoming direction:

interface gig 0/0
  description Your public interface
  ip access-group OUTSIDE-IN in

View solution in original post

Karsten Iwen · ‎01-13-2016

This could be the ACL to only block these two networks and allow the rest. You probably want to google the term "wildcard-mask" which is an inverse netmask:

ip access-list extended OUTSIDE-IN
  deny ip 23.32.0.0 0.31.255.255 any
  deny ip 23.64.0.0 0.3.255.255 any
  permit ip any any

The ACL has to be applied to the outside interface in incoming direction:

interface gig 0/0
  description Your public interface
  ip access-group OUTSIDE-IN in

c.shinneman1 · ‎01-15-2016

Awesome! Thanks! I know about the Wildcard-mask. I just couldn't get the ACL to work with the way I was writing it. It would end up blocking ALL traffic in or out and I would lose internet access all together. Not sure what I was doing wrong.

I was writing something along the lines of this:

deny ip any host 23.32.0.00.31.255.255

And then I was applying that to G0/0 in

Karsten Iwen · ‎01-15-2016

Always be aware of the implicit "deny ip any any" ACE. If you only have deny lines in your ACL, then every traffic is denied.

Block an Outside Network with ACL