Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3408
Views
0
Helpful
3
Replies

ACL on WAN interface

Go to solution
Kingsleyizuka
Level 1
Level 1

‎09-13-2018 03:08 AM - edited ‎09-13-2018 03:10 AM

Hi Everyone,
 
I've a Cisco router running IOS 12.4 but it seems impossible to configure an ACL to restrict access to a particular IP outside the network i.e. on the internet.
 
When I used "deny ip" or "deny tcp" and applied "IN" acl group on the interface, it restricted access to all IP or TCP request on that interface respectively. "IN" is the only option available in the IOS.
 
For example, to block access to google:
access-list 190 deny ip any 216.58.223.206 0.0.0.0
OR
access-list 190 deny tcp any 216.58.223.206 0.0.0.0
 
and apply to the interface
access-group 190 IN (because ONLY "IN" option is available)
 
Also, why does the IOS have only IN option for applying the ACL?
 
Thanks.
 
Tell me, I’ll forget; Show me, I’ll remember; Involve me, I’ll understand
~ Chinese Proverb
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-13-2018 03:26 AM

 

Don't know why you cannot apply an acl outbound but you can apply the acl inbound on your LAN interface. 

 

Don't forget "permit ip any any" in your acl for all the other traffic. 

 

Jon

View solution in original post

0 Helpful

Go to solution
Kingsleyizuka
Level 1
Level 1
In response to Jon Marshall

‎09-13-2018 04:04 AM - edited ‎09-13-2018 04:19 AM

Thanks.

 

But isn't "permit ip any any" implicitly added on all lists.

 

I was expecting implicit permit for all other traffic.

 

Then, if you need to customise you could use:

"no permit any any" on the ACLs.

 

Also, I understand that ACLs rules are better written for INBOUND traffic because the rules are applied before reaching the router/core network. Thereby preventing unnecessary congestion.

 

Tell me, I’ll forget; Show me, I’ll remember; Involve me, I’ll understand

~ Chinese Proverb

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-13-2018 03:26 AM

 

Don't know why you cannot apply an acl outbound but you can apply the acl inbound on your LAN interface. 

 

Don't forget "permit ip any any" in your acl for all the other traffic. 

 

Jon

0 Helpful

Go to solution
Kingsleyizuka
Level 1
Level 1
In response to Jon Marshall

‎09-13-2018 04:04 AM - edited ‎09-13-2018 04:19 AM

Thanks.

 

But isn't "permit ip any any" implicitly added on all lists.

 

I was expecting implicit permit for all other traffic.

 

Then, if you need to customise you could use:

"no permit any any" on the ACLs.

 

Also, I understand that ACLs rules are better written for INBOUND traffic because the rules are applied before reaching the router/core network. Thereby preventing unnecessary congestion.

 

Tell me, I’ll forget; Show me, I’ll remember; Involve me, I’ll understand

~ Chinese Proverb

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Kingsleyizuka

‎09-13-2018 05:08 AM

"But isn't "permit ip any any" implicitly added on all lists."

No, it's the opposite. There's an implicit deny all at the end of any ACL.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card