04-11-2016 01:11 AM - edited 03-05-2019 03:46 AM
Hi guys, hope i'm on the right forum.
Just a noob question, please bear with me.
Got from this link: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html a config which i type below.
Network infrastructure is quite basic.
<Internal network> - - - <Cisco router> - - - <ISP or Internet>
Config below denies an IP (it's copied from the link above and uses a private IP) I will change it to a public IP.
hostname R1
!
interface ethernet0
ip access-group 1 in
!
access-list 1 deny host 192.168.10.1
access-list 1 permit any
I want to block a single IP from the internet to access my internal network.
or the acl statement should be like:
access-list 1 deny ip 192.168.10.1 0.0.0.0 any
My question is, If I will change the private IP 192.168.10.1 to a public IP. Will there be any issues on the network? I'm afraid to make the change because other IPs might be block.
But of course config is quite obvious that it's only blocking a single IP just want to make sure from you guys.
And do I need to make an access list for outgoing? or no need?
What's the difference between deny ip and deny host?
Thank you.
Solved! Go to Solution.
04-11-2016 02:34 AM
yes that's fine just block 1 public ip from coming inbound and last line allow all others , acls work most specific down to the most open when configuring them so looks ok
If your unsure about making a change and your remote , you can just do a reload in 5 so then if your locked out from your change the router will reboot any go back to previous saved config disregarding the ACL change. Just a safety thing if remote working on changes on an interface your coming ion over
Only need to outbound if you have users trying to speak to that public ip address too , deny ip can be a range like deny 192.168.10.0/24 while if you specify host its the 32bit host that's it single ip only , if its public Ip just block it by host as you probably don't have the subnet range unless you own it
You can use a standard acl like your first example 1-99 or use an extended as well if you require bit more complexity like specifying exactly who it can speak to
04-11-2016 02:34 AM
yes that's fine just block 1 public ip from coming inbound and last line allow all others , acls work most specific down to the most open when configuring them so looks ok
If your unsure about making a change and your remote , you can just do a reload in 5 so then if your locked out from your change the router will reboot any go back to previous saved config disregarding the ACL change. Just a safety thing if remote working on changes on an interface your coming ion over
Only need to outbound if you have users trying to speak to that public ip address too , deny ip can be a range like deny 192.168.10.0/24 while if you specify host its the 32bit host that's it single ip only , if its public Ip just block it by host as you probably don't have the subnet range unless you own it
You can use a standard acl like your first example 1-99 or use an extended as well if you require bit more complexity like specifying exactly who it can speak to
04-11-2016 03:03 AM
Hi Mark, thank you so much for your reply.
From your reply, you said reload in 5.
Reload in 5 is it 5 mins. or secs?
What is the command for that?
Thanks.
04-11-2016 04:04 AM
Hey yes that the command hours or minutes as below , then when your finished reload cancel to stop it from rebooting
SWA1#reload ?
/noverify Don't verify file signature before reload.
/verify Verify file signature before reload.
LINE Reason for reload
at Reload at a specific time/date
cancel Cancel pending reload
in Reload after a time interval
slot Slot number card
standby-cpu Standby RP
<cr>
SWA1#reload in ?
Delay before reload (mmm or hhh:mm)
SWA1#reload in
04-11-2016 06:33 PM
Thanks Mark, i'll try it out.
04-12-2016 06:41 PM
Thanks Mark for your help, yes I was able to successfully block the IP. The reload command is a safe haven.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide