Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
4
Replies

Pix 501 - Access Lists, Access Lists, Access Lists

bwgraybwgray
Level 1
Level 1

‎02-02-2005 01:24 PM - edited ‎02-20-2020 11:54 PM

Hey Everyone,

I have a small setup and I'm trying to do a little learning here. What I want to do is block a group of interal hosts from accessing the internet, while allowing a couple of others to continue to do so. What I did was the following:

1) Created an object group for the hosts I want to block.

object-group network noweb

network-object host 10.0.0.10

network-object host 10.0.0.11

2) Then I created an access-list to stop these hosts from accessing the internet:

access-list 102 deny any object-group noweb eq www

access-group 102 in interface outside

*So with all of the above I was hoping to block the internet traffic comming back in but no dice.

Did the clear xlate, and refreshed the browsers but no luck.

I'm not that proficient with Access-lists I'm afraid. Pointers would be most appreciated.

Thanks,

BWG

0 Helpful
4 Replies 4

thisisshanky
Level 11
Level 11

‎02-02-2005 01:37 PM

Try doing this.

access-list 102 deny object-group noweb any eq www

access-list 102 permit any any

access-group 102 in interface inside

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

bwgraybwgray
Level 1
Level 1
In response to thisisshanky

‎02-02-2005 01:47 PM

Thanks!!!

Ok so if I understand this right:

access-list 102 deny object-group noweb any eq www <-- stops all web traffic for object-group noweb

access-list 102 permit any any <-- permits all other traffic through? *Help me understand why I need to do this?

access-group 102 in interface inside <-- Applies the access-list to inbound traffic on the inside interface

Many Thanks,

BWG

0 Helpful

thisisshanky
Level 11
Level 11
In response to bwgraybwgray

‎02-02-2005 02:37 PM

When you define an ACL, you permit packets that you want to explicitly allow and at the very end tehre is an implicit deny any any statement which is usually not displayed in show run output. This will drop all packets that does not match the ACL.

In this case, your are right on line 1. It stops all web traffic from object-group noweb. Line 2 will permit the rest of the traffic. Otherwise as explained above the rest of the traffic will also be denied.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

bwgraybwgray
Level 1
Level 1
In response to thisisshanky

‎02-03-2005 10:47 AM

Awesome!!!

Thank-you! That's what was stopping me was the iplicit deny at the end - I totally forgot!!!

Now all is good. :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card