Solved: Block an Outside Network with ACL

c.shinneman1 · ‎01-12-2016

So, my router has been submitting Syslog entries regarding IDS Evasion attempts.

How do I write an ACL that blocks ALL traffic to and/or from this Network:

NetRange: 23.32.0.0 - 23.67.255.255
CIDR: 23.64.0.0/14, 23.32.0.0/11

I am new to ACLs and am still in school for Cisco. So bare with me. We haven't covered much about ACLs yet.

Thanks a ton!

chris

Karsten Iwen · ‎01-13-2016

This could be the ACL to only block these two networks and allow the rest. You probably want to google the term "wildcard-mask" which is an inverse netmask:

ip access-list extended OUTSIDE-IN
  deny ip 23.32.0.0 0.31.255.255 any
  deny ip 23.64.0.0 0.3.255.255 any
  permit ip any any

The ACL has to be applied to the outside interface in incoming direction:

interface gig 0/0
  description Your public interface
  ip access-group OUTSIDE-IN in

View solution in original post

Karsten Iwen · ‎01-13-2016

This could be the ACL to only block these two networks and allow the rest. You probably want to google the term "wildcard-mask" which is an inverse netmask:

ip access-list extended OUTSIDE-IN
  deny ip 23.32.0.0 0.31.255.255 any
  deny ip 23.64.0.0 0.3.255.255 any
  permit ip any any

The ACL has to be applied to the outside interface in incoming direction:

interface gig 0/0
  description Your public interface
  ip access-group OUTSIDE-IN in

c.shinneman1 · ‎01-15-2016

Awesome! Thanks! I know about the Wildcard-mask. I just couldn't get the ACL to work with the way I was writing it. It would end up blocking ALL traffic in or out and I would lose internet access all together. Not sure what I was doing wrong.

I was writing something along the lines of this:

deny ip any host 23.32.0.00.31.255.255

And then I was applying that to G0/0 in

Karsten Iwen · ‎01-15-2016

Always be aware of the implicit "deny ip any any" ACE. If you only have deny lines in your ACL, then every traffic is denied.