Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
4
Replies

access list

rehan_uet
Level 1
Level 1

‎04-11-2006 03:24 PM - edited ‎03-03-2019 12:22 PM

I dont want to have internet accces for my network, but there are some machines on which i need to have interner access only for windows auto updates and antivirus McAfee auto updates.

Can I limit this access through an access list on a router, if yes then how?

Labels:
0 Helpful
4 Replies 4

pkhatri
Level 11
Level 11

‎04-11-2006 03:26 PM

Yes, you can. I would probably configure an inbound access-list on the router interface towards your LAN which allows those IP addresses to get out to the Internet but blocks everything else.

Post more details/router configs if you want more details...

Pls do remember to rate posts.

Paresh

Paresh

0 Helpful

rehan_uet
Level 1
Level 1
In response to pkhatri

‎04-12-2006 02:50 PM

Paresh

config is attached, currently we have only GRE tunnel configured on it once we have access list i will config nat for internet access. I would appriciate if you could suggest a access list with particular port numbers for windows update and McAfee updates rest of the traffic should be denied.

router#sh run

Building configuration...

Current configuration : 1621 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname router

!

interface Tunnel0

ip address 10.34.0.2 255.255.255.252

tunnel source x.x.x.194

tunnel destination y.y.y.115

!

interface FastEthernet0/0

ip address x.x.x.194 255.255.255.224

speed 100

full-duplex

!

interface FastEthernet1/0

ip address 10.10.118.1 255.255.0.0

speed 100

full-duplex

!

interface Serial1/0

no ip address

shutdown

clockrate 2000000

!

interface FastEthernet1/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/1

no ip address

shutdown

clockrate 2000000

!

router rip

version 2

passive-interface default

no passive-interface Tunnel0

network 1.0.0.0

network 10.0.0.0

neighbor y.y.y.115

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.193

ip http server

!

dial-peer cor custom

!

!

!

!

!

line con 0

password xxxx

login

speed 115200

line aux 0

line vty 0 4

password xxxxx

login

!

end

router#

0 Helpful

limtohsoon
Level 1
Level 1
In response to pkhatri

‎04-12-2006 11:00 PM

Hi Paresh,

I've been pondering on this issue some time ago.

In his case, he wants to limit Internet access to a group of machines, for Windows Updates and McAfee Antivirus Updates only.

Because the IP addresses of these servers may change though the FQDN don't, how do we go about configuring the ACL?

access-list 100 permit tcp host any eq ?

Please advise.

Thank you.

B.Rgds,

Lim TS

0 Helpful

mheusinger
Level 10
Level 10
In response to limtohsoon

‎04-13-2006 08:17 AM

Hello,

you could use NBAR to match HTTP URLs assuming the McAfee updates use HTTP. Microsoft updates should be no problem.

It could look like this (untested though, as I have no router available right now):

class-map match-all MS

match ip address 100

match protocol http url "*.microsoft.com"

class-map match-all McAfee

match ip address 100

match protocol http url "*.mcafee.com"

class-map match-any restrict

match not class MS

match not class McAfee

policy-map MyMap

class MS

class McAfee

class restrict

drop

interface Ethernet0/0

service-policy input MyMap

access-list 100 permit ip host any

Hope this helps! Please rate all posts.

Regards, Martin

0 Helpful
Customers Also Viewed These Support Documents