Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
831
Views
5
Helpful
6
Replies

Access List Config Issues

Go to solution
Kaushik Ray
Level 1
Level 1

‎03-18-2013 02:56 AM - edited ‎03-04-2019 07:19 PM

Hello

I am trying to create an access list to allow access to only one remote server and block the users of the network access to the internet.

before making the changes I pinged the 8.8.8.8 internet IP address and could ping successfully           

ping vrf Internet 8.8.8.8 so GigabitEthernet0/0.802

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 588/590/596 ms

then I applied this access list to allow access to only one host (which is the server) and block everything else

ip access-list extended ISP_Block

permit ip 192.168.2.0 0.255.255.255 1.1.1.1 0.0.0.0

deny ip any any

!

interface GigabitEthernet0/0.802

  ip access-group ISP_Block in

  ip access-group ISP_Block out

After that i pinged the internet IP again and i can reach it again!!

ping vrf Internet  8.8.8.8  source GigabitEthernet0/0.802

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 588/592/596 ms

Can anyone please advice where i may going wrong?

Many Thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-18-2013 03:02 AM

Hello,

Are you sending pings from your router? ACLs placed on the router do not apply to packets originated by the router itself. Can you try to ping from a device that sits behind the router?

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kaushik Ray

‎03-18-2013 08:39 AM

There are several ways that the access list can be done that will accomplish what you need and you can choose which alternative you prefer. Bear in mind that how you plan to apply the ACL will determine how you configure the ACL (or you can think that how you configure the ACL will determine how the ACL should be applied).

You have not given us the details but from what you have given us I am assuming that subnet 192.168.2.0 is located on interface GigabitEthernet0/0.802 and that host 1.1.1.1 is somewhere else. In that case configuring the access list as

ip access-list extended ISP_Block

permit ip 192.168.2.0 0.255.255.255 1.1.1.1 0.0.0.0

deny ip any any

says that the ACL should be applied inbound on the subinterface. If you wanted to apply the ACL outbound on the interface then you would change the permit line to this

permit ip 1.1.1.1 0.0.0.0 192.168.2.0 0.255.255.255

It would work either way. I believe that most people would rather configure it the first way and use it inbound.

I will also note that this access would be effective in limiting traffic from the 192.168.2.0 subnet and would require that any device on that subnet access the 1.1.1.1 by IP address since there would be no access to any DNS server to resolve names. (unless the 1.1.1.1 happens to be a name server)

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-18-2013 03:02 AM

Hello,

Are you sending pings from your router? ACLs placed on the router do not apply to packets originated by the router itself. Can you try to ping from a device that sits behind the router?

Best regards,

Peter

0 Helpful

Go to solution
Kaushik Ray
Level 1
Level 1
In response to Peter Paluch

‎03-18-2013 03:09 AM

Thanks Peter, i will get that checked, one thing to confirm is that since the interface is in the same subnet as the one that is getting blocked and i am using source interface should i not be able to see blocked packets from the router as well when i use the source interface?

thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kaushik Ray

‎03-18-2013 05:14 AM

Peter is exactly correct when he says that ACL applied outbound on a router interface do not apply to packets generated by the router itself. This is true whether source interface is specified or not. You can not deny packets generated by the router.

The inbound access list should work fine, but it is blocking packets coming into the router on GigabitEthernet0/0.802 and not on the interface to the Internet.

I will also observe that it usually does not provide the result that you want when you apply the same ACL as inbound and outbound on the same interface. The way that you have written and applied the ACL will result in no device on interface GigabitEthernet0/0.802 will be able to communicate - not even the host that you want to be able to.

HTH

Rick

HTH

Rick

Go to solution
Kaushik Ray
Level 1
Level 1
In response to Richard Burts

‎03-18-2013 05:36 AM

Thanks Rick

How do you advice me to change the application of the ACL so that the devices on the interface

GigabitEthernet0/0.802 will be able to access the host? removing the outbound should help?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kaushik Ray

‎03-18-2013 08:39 AM

There are several ways that the access list can be done that will accomplish what you need and you can choose which alternative you prefer. Bear in mind that how you plan to apply the ACL will determine how you configure the ACL (or you can think that how you configure the ACL will determine how the ACL should be applied).

You have not given us the details but from what you have given us I am assuming that subnet 192.168.2.0 is located on interface GigabitEthernet0/0.802 and that host 1.1.1.1 is somewhere else. In that case configuring the access list as

ip access-list extended ISP_Block

permit ip 192.168.2.0 0.255.255.255 1.1.1.1 0.0.0.0

deny ip any any

says that the ACL should be applied inbound on the subinterface. If you wanted to apply the ACL outbound on the interface then you would change the permit line to this

permit ip 1.1.1.1 0.0.0.0 192.168.2.0 0.255.255.255

It would work either way. I believe that most people would rather configure it the first way and use it inbound.

I will also note that this access would be effective in limiting traffic from the 192.168.2.0 subnet and would require that any device on that subnet access the 1.1.1.1 by IP address since there would be no access to any DNS server to resolve names. (unless the 1.1.1.1 happens to be a name server)

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Kaushik Ray
Level 1
Level 1
In response to Richard Burts

‎03-18-2013 09:35 AM

Rick

Thanks a lot for your detailed response; you are correct in saying that the subinterface 0/0.802 is the one which host the 192.168.2.0/24 network and 1.1.1.1 is away. I have used the first option you have suggested and haved also added permit 192.168.2.0 0.0.0.255 host DNS Server IP address before the deny ip any any for them to configure their devices statically and put in the DNS servers statically.

Have asked this to be tested and revert back.

Thanks again for your time and detailed response.

Regards

Kaushik

0 Helpful
Customers Also Viewed These Support Documents