Solved: ACL block single IP

chrissnop · ‎04-11-2016

Hi guys, hope i'm on the right forum.

Just a noob question, please bear with me.

Got from this link: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html a config which i type below.

Network infrastructure is quite basic.

Config below denies an IP (it's copied from the link above and uses a private IP) I will change it to a public IP.

hostname R1
!
interface ethernet0
ip access-group 1 in
!
access-list 1 deny host 192.168.10.1
access-list 1 permit any

I want to block a single IP from the internet to access my internal network.

or the acl statement should be like:

access-list 1 deny ip 192.168.10.1 0.0.0.0 any

My question is, If I will change the private IP 192.168.10.1 to a public IP. Will there be any issues on the network? I'm afraid to make the change because other IPs might be block.

But of course config is quite obvious that it's only blocking a single IP just want to make sure from you guys.

And do I need to make an access list for outgoing? or no need?

What's the difference between deny ip and deny host?

Thank you.

Mark Malone · ‎04-11-2016

yes that's fine just block 1 public ip from coming inbound and last line allow all others , acls work most specific down to the most open when configuring them so looks ok

If your unsure about making a change and your remote , you can just do a reload in 5 so then if your locked out from your change the router will reboot any go back to previous saved config disregarding the ACL change. Just a safety thing if remote working on changes on an interface your coming ion over

Only need to outbound if you have users trying to speak to that public ip address too , deny ip can be a range like deny 192.168.10.0/24 while if you specify host its the 32bit host that's it single ip only , if its public Ip just block it by host as you probably don't have the subnet range unless you own it

You can use a standard acl like your first example 1-99 or use an extended as well if you require bit more complexity like specifying exactly who it can speak to

View solution in original post

Mark Malone · ‎04-11-2016

yes that's fine just block 1 public ip from coming inbound and last line allow all others , acls work most specific down to the most open when configuring them so looks ok

If your unsure about making a change and your remote , you can just do a reload in 5 so then if your locked out from your change the router will reboot any go back to previous saved config disregarding the ACL change. Just a safety thing if remote working on changes on an interface your coming ion over

Only need to outbound if you have users trying to speak to that public ip address too , deny ip can be a range like deny 192.168.10.0/24 while if you specify host its the 32bit host that's it single ip only , if its public Ip just block it by host as you probably don't have the subnet range unless you own it

You can use a standard acl like your first example 1-99 or use an extended as well if you require bit more complexity like specifying exactly who it can speak to

chrissnop · ‎04-11-2016

Hi Mark, thank you so much for your reply.

From your reply, you said reload in 5.

Reload in 5 is it 5 mins. or secs?

What is the command for that?

Thanks.

Mark Malone · ‎04-11-2016

Hey yes that the command hours or minutes as below , then when your finished reload cancel to stop it from rebooting

SWA1#reload ?
/noverify    Don't verify file signature before reload.
/verify      Verify file signature before reload.
LINE         Reason for reload
at           Reload at a specific time/date
cancel       Cancel pending reload
in           Reload after a time interval
slot         Slot number card
standby-cpu Standby RP
<cr>

SWA1#reload in ?
Delay before reload (mmm or hhh:mm)

SWA1#reload in

chrissnop · ‎04-11-2016

Thanks Mark, i'll try it out.

chrissnop · ‎04-12-2016

Thanks Mark for your help, yes I was able to successfully block the IP. The reload command is a safe haven.