Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1694
Views
10
Helpful
5
Replies

Extended ACL Block IP

Go to solution
chrissnop
Level 1
Level 1

‎07-13-2016 07:30 PM - edited ‎03-07-2019 12:12 AM

Block IPs using extended ACL


Block incoming traffic.

Is this correct?

apply to fa0:
int fa0
ip access-group block_ips in

block ips:
ip access-list extended block_ips
deny ip host 15.16.17.18 any
deny ip host 15.16.17.19 any


If extended ACL is used do I need to define outgoing as well, or no need?

If outgoing is needed, is the config below correct?


int fa1
ip access-group permit_internal out

ip access-group extended permit_internal
permit ip host 0.0.0.0 0.0.255.255 any

Thanks for any help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9
In response to chrissnop

‎07-13-2016 08:34 PM

hi,

you usually allow LAN/inside traffic to anywhere so you don't need an outgoing ACL applied on your fa1.

if you want to add entries/ACE on the IP ACL, just insert entry/ACE. issue first a show ip access-list block_ips.

show ip access-list block_ips
 10 deny ip host 15.16.17.18 any
 20 deny ip host 15.16.17.19 any
 30 permit ip any any

conf t
ip access-list extended block_ips
 no 30
 30 permit <SOURCE IP> <WM> <DEST IP> <WM>
 40 permit ip any any

View solution in original post

0 Helpful
5 Replies 5

Go to solution
johnlloyd_13
Level 9
Level 9

‎07-13-2016 07:55 PM

hi,

you'll need to allow the rest of the network traffic after blocking specific IP subnets.

ip access-list extended block_ips
 deny ip host 15.16.17.18 any
 deny ip host 15.16.17.19 any
 permit ip any any

Go to solution
chrissnop
Level 1
Level 1
In response to johnlloyd_13

‎07-13-2016 08:16 PM

Thanks for the heads up.

Outgoing is not needed?

I hope you don't mind me asking again.

If I want to add to an existing extended acl "block_ips", how do i do it?

 

Thanks  again.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to chrissnop

‎07-13-2016 08:34 PM

hi,

you usually allow LAN/inside traffic to anywhere so you don't need an outgoing ACL applied on your fa1.

if you want to add entries/ACE on the IP ACL, just insert entry/ACE. issue first a show ip access-list block_ips.

show ip access-list block_ips
 10 deny ip host 15.16.17.18 any
 20 deny ip host 15.16.17.19 any
 30 permit ip any any

conf t
ip access-list extended block_ips
 no 30
 30 permit <SOURCE IP> <WM> <DEST IP> <WM>
 40 permit ip any any

0 Helpful

Go to solution
chrissnop
Level 1
Level 1
In response to johnlloyd_13

‎07-13-2016 08:38 PM

Ah okay the system itself will do an automatic numbering. Thank you so much.

0 Helpful

Go to solution
Yeshwanth Simhadri
Level 1
Level 1
In response to chrissnop

‎07-14-2016 01:51 AM

the sequencial number is cisco style and it increments by 10 , but u can choose 11,12 if you want.

Also, make sure that in an ACL, after you give your statements, by default cisco treats the next statement as an " EXPLICIT DENY ", so permit the entire N/W

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card