cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6748
Views
5
Helpful
2
Replies

Access list to block outbound Internet access

simpsoro2
Beginner
Beginner

     I need to write an ACL on a 7206 router running 12.2(31)SB10. I need to block one certain host from being able to access the Internet. So, I gave the internal address a static xlate and then was going to write an ACL blocking that static xlate address from getting out. However I am having some issues with the syntax.

I thought it would be something like this:

access-list 199 deny   ip 198.246.x.x any (obviously the x.x are real numbers)

That is not correct. It appears that it wants a netmask after the ip but still that wasn't correct. Any ideas?

2 Replies 2

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello Simpsoro2,

correct syntax is:

access-list 199 deny ip host x.y.z.k any

Hope to help

Giuseppe

Hi,

There are many aspects to block one host to get internet access.

One you can define one accesslist and apply that to outbound interface.
Second if you have global NAT cnfigured on your router then in that pool (could be route-map) you need to block this host.


Example for the first one...

ip accesslist ex outboudaccess
deny   ip host 10.38.5.140 any
permit any any

int gi0/0
ip access-group outboudaccess in


Exampel for the second one...

ip nat inside source route-map nonat pool nonat mapping-id 1 overload

ip access-list ex NONAT
deny   ip host 10.38.5.140 any
permit ip any any

Please rate the helpfull posts.
Regards,
Naidu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: