05-05-2011 01:22 PM - edited 03-04-2019 12:17 PM
I need to write an ACL on a 7206 router running 12.2(31)SB10. I need to block one certain host from being able to access the Internet. So, I gave the internal address a static xlate and then was going to write an ACL blocking that static xlate address from getting out. However I am having some issues with the syntax.
I thought it would be something like this:
access-list 199 deny ip 198.246.x.x any (obviously the x.x are real numbers)
That is not correct. It appears that it wants a netmask after the ip but still that wasn't correct. Any ideas?
05-05-2011 02:19 PM
Hello Simpsoro2,
correct syntax is:
access-list 199 deny ip host x.y.z.k any
Hope to help
Giuseppe
03-13-2012 01:36 AM
Hi,
There are many aspects to block one host to get internet access.
One you can define one accesslist and apply that to outbound interface.
Second if you have global NAT cnfigured on your router then in that pool (could be route-map) you need to block this host.
Example for the first one...
ip accesslist ex outboudaccess
deny ip host 10.38.5.140 any
permit any any
int gi0/0
ip access-group outboudaccess in
Exampel for the second one...
ip nat inside source route-map nonat pool nonat mapping-id 1 overload
ip access-list ex NONAT
deny ip host 10.38.5.140 any
permit ip any any
Please rate the helpfull posts.
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide