Access list to block outbound Internet access

simpsoro2 · ‎05-05-2011

I need to write an ACL on a 7206 router running 12.2(31)SB10. I need to block one certain host from being able to access the Internet. So, I gave the internal address a static xlate and then was going to write an ACL blocking that static xlate address from getting out. However I am having some issues with the syntax.

I thought it would be something like this:

access-list 199 deny ip 198.246.x.x any (obviously the x.x are real numbers)

That is not correct. It appears that it wants a netmask after the ip but still that wasn't correct. Any ideas?

Giuseppe Larosa · ‎05-05-2011

Hello Simpsoro2,

correct syntax is:

access-list 199 deny ip host x.y.z.k any

Hope to help

Giuseppe

Latchum Naidu · ‎03-13-2012

Hi,

There are many aspects to block one host to get internet access.

One you can define one accesslist and apply that to outbound interface.
Second if you have global NAT cnfigured on your router then in that pool (could be route-map) you need to block this host.

Example for the first one...

ip accesslist ex outboudaccess
deny ip host 10.38.5.140 any
permit any any

int gi0/0
ip access-group outboudaccess in

Exampel for the second one...

ip nat inside source route-map nonat pool nonat mapping-id 1 overload

ip access-list ex NONAT
deny ip host 10.38.5.140 any
permit ip any any

Please rate the helpfull posts.
Regards,
Naidu.