cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2421
Views
10
Helpful
5
Replies

Extended ACL Block IP

chrissnop
Level 1
Level 1

Block IPs using extended ACL


Block incoming traffic.

Is this correct?

apply to fa0:
int fa0
ip access-group block_ips in

block ips:
ip access-list extended block_ips
deny ip host 15.16.17.18 any
deny ip host 15.16.17.19 any


If extended ACL is used do I need to define outgoing as well, or no need?

If outgoing is needed, is the config below correct?


int fa1
ip access-group permit_internal out

ip access-group extended permit_internal
permit ip host 0.0.0.0 0.0.255.255 any

Thanks for any help.

1 Accepted Solution

Accepted Solutions

hi,

you usually allow LAN/inside traffic to anywhere so you don't need an outgoing ACL applied on your fa1.

if you want to add entries/ACE on the IP ACL, just insert entry/ACE. issue first a show ip access-list block_ips.

show ip access-list block_ips
 10 deny ip host 15.16.17.18 any
 20 deny ip host 15.16.17.19 any
 30 permit ip any any

conf t
ip access-list extended block_ips
 no 30
 30 permit <SOURCE IP> <WM> <DEST IP> <WM>
 40 permit ip any any

View solution in original post

5 Replies 5

johnlloyd_13
Level 9
Level 9

hi,

you'll need to allow the rest of the network traffic after blocking specific IP subnets.

ip access-list extended block_ips
 deny ip host 15.16.17.18 any
 deny ip host 15.16.17.19 any
 permit ip any any

Thanks for the heads up.

Outgoing is not needed?

I hope you don't mind me asking again.

If I want to add to an existing extended acl "block_ips", how do i do it?

 

Thanks  again.

hi,

you usually allow LAN/inside traffic to anywhere so you don't need an outgoing ACL applied on your fa1.

if you want to add entries/ACE on the IP ACL, just insert entry/ACE. issue first a show ip access-list block_ips.

show ip access-list block_ips
 10 deny ip host 15.16.17.18 any
 20 deny ip host 15.16.17.19 any
 30 permit ip any any

conf t
ip access-list extended block_ips
 no 30
 30 permit <SOURCE IP> <WM> <DEST IP> <WM>
 40 permit ip any any

Ah okay the system itself will do an automatic numbering. Thank you so much.

the sequencial number is cisco style and it increments by 10 , but u can choose 11,12 if you want.

Also, make sure that in an ACL, after you give your statements, by default cisco treats the next statement as an " EXPLICIT DENY ", so permit the entire N/W