cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20310
Views
5
Helpful
5
Replies

ACL block single IP

chrissnop
Beginner
Beginner

Hi guys, hope i'm on the right forum.

Just a noob question, please bear with me.

Got from this link: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html a config which i type below.

Network infrastructure is quite basic.

<Internal network> - - - <Cisco router> - - - <ISP or Internet>

Config below denies an IP (it's copied from the link above and uses a private IP) I will change it to a public IP.

hostname R1
!
interface ethernet0
ip access-group 1 in
!
access-list 1 deny host 192.168.10.1
access-list 1 permit any

I want to block a single IP from the internet to access my internal network.

or the acl statement should be like: 

access-list 1 deny ip 192.168.10.1 0.0.0.0 any

 

My question is, If I will change the private IP 192.168.10.1 to a  public IP. Will there be any issues on the network? I'm afraid to make the change because other IPs might be block.

But of course config is quite obvious that it's only blocking a single IP just want to make sure from you guys.

And do I need to make an access list for outgoing? or no need?

What's the difference between deny ip and deny host? 

Thank you.

1 Accepted Solution

Accepted Solutions

Mark Malone
Mentor
Mentor

yes that's fine just block 1 public ip from coming inbound and last line allow all others , acls work most specific down to the most open when configuring them so looks ok

If your unsure about making a change and your remote , you can just do a reload in 5 so then if your locked out from your change the router will reboot any go back to previous saved config disregarding the ACL change. Just a safety thing if remote working on changes on an interface your coming ion over

Only need to outbound if you have users trying to speak to that public ip address too , deny ip can be a range like deny 192.168.10.0/24 while if you specify host its the 32bit host that's it single ip only , if its public Ip just block it by host as you probably don't have the subnet range unless you own it

You can use a standard acl like your first example 1-99 or use an extended as well if you require bit more complexity like specifying exactly who it can speak to

View solution in original post

5 Replies 5

Mark Malone
Mentor
Mentor

yes that's fine just block 1 public ip from coming inbound and last line allow all others , acls work most specific down to the most open when configuring them so looks ok

If your unsure about making a change and your remote , you can just do a reload in 5 so then if your locked out from your change the router will reboot any go back to previous saved config disregarding the ACL change. Just a safety thing if remote working on changes on an interface your coming ion over

Only need to outbound if you have users trying to speak to that public ip address too , deny ip can be a range like deny 192.168.10.0/24 while if you specify host its the 32bit host that's it single ip only , if its public Ip just block it by host as you probably don't have the subnet range unless you own it

You can use a standard acl like your first example 1-99 or use an extended as well if you require bit more complexity like specifying exactly who it can speak to

Hi Mark, thank you so much for your reply.

From your reply, you said reload in 5.

Reload in 5 is it 5 mins. or secs?

What is the command for that?

Thanks.

Hey yes that the command hours or minutes as below , then when your finished reload cancel to stop it from rebooting

SWA1#reload ?
  /noverify    Don't verify file signature before reload.
  /verify      Verify file signature before reload.
  LINE         Reason for reload
  at           Reload at a specific time/date
  cancel       Cancel pending reload
  in           Reload after a time interval
  slot         Slot number card
  standby-cpu  Standby RP
  <cr>

SWA1#reload in ?
Delay before reload (mmm or hhh:mm)

SWA1#reload in

Thanks Mark, i'll try it out.

chrissnop
Beginner
Beginner

Thanks Mark for your help, yes I was able to successfully block the IP. The reload command is a safe haven.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers