Solved: Single host permission to outside on a specific website

shafik.khan9 · ‎05-01-2017

HI,

Hope someone can help me on this.

I have a small remote office network installation and the internet is blocked for all users, and from there i got a request that one user require access to the internet for specific website, please guide me how I can give a single user to go outside on the internet only to a specific website

Thanks

Julio E. Moisa · ‎05-01-2017

Yeap that is correct,

Shafik, could you please share the ACL configuration because if you are using numbered ACL you need to move up over the deny the new ACL entry, taking the example provided by Georg you need to do the following:

ip access-list extended 100
(now you insert the sequence it can be seen using: show access-list 100)
2 permit tcp host 192.168.1.10 host 23.206.89.192 eq www

the other ACL entry could be the sequence 3, the main idea is leave the deny acl at the bottom. The IP 192.168.1.10 is the user PC.

* Take in consideration if you remove a numbered ACL, all the access-list related to that number will be removed that is the reason I suggest to use ip access-list standard/extended to modify the sequences.

Please dont forget to rate the comments if they are useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎05-01-2017

Hi

Are you using a firewall or Router to block the users to get Internet?

If you are using ACL you could specify the user using the 'host' or using /32 subnet mask on the top of the deny ACL.

example:

access-list 100 permit ip host 10.10.10.25 any
access-list 100 deny any any

and allow the users on the ACL used for NAT. Im not really sure how is your topology. Could you please provide more details?

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

shafik.khan9 · ‎05-01-2017

Hi,

yes I`m using an 801 4g Router and using ACL for blocking the internet, but need to give him permission only for a specific website Linke only Cisco.com/linkedin,

Julio E. Moisa · ‎05-01-2017

Hi Shafik,

Could you please share the implemented ACL? in order to provide the proper configuration.

No users have internet at all, right? but you have a NAT (Internet) for specific tasks, is that correct?

Thank you

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

shafik.khan9 · ‎05-01-2017

Thanks for your Support ,

Here is the ACL

Extended IP access list 101
10 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.35
20 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.19 (6 matches)
30 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.33 (11386351 matches)
40 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.15 (1 match)
50 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.4 (1393 matches)
60 permit ip 10.10.0.0 0.0.255.255 10.80.9.0 0.0.0.255 (40706911 matches)
70 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.38
80 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.30
90 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.48 (9706709 matches)
100 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.100
110 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.105
120 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.53
130 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.101
140 permit ip host 10.10.1.1 host 10.1.11.115
150 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.25 (42793472 matches)
160 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.35 (2 matches)
170 permit ip 10.10.0.0 0.0.255.255 10.80.0.0 0.0.0.3 (59474277 matches)
180 permit ip 10.10.0.0 0.0.255.255 10.81.0.0 0.0.255.255 (22288543 matches)
190 permit ip 192.168.0.0 0.0.255.255 host 10.80.9.30
200 permit ip 192.168.0.0 0.0.255.255 host 10.80.9.25
210 permit ip 192.168.0.0 0.0.255.255 host 10.80.9.26

Extended IP access list 111
10 deny ip 10.10.0.0 0.0.255.255 10.80.0.0 0.0.255.255 (74513855 matches)
20 deny ip 10.10.0.0 0.0.255.255 10.81.0.0 0.0.255.255 (9113497 matches)
30 deny ip host 10.10.1.1 host 10.1.11.115
40 permit ip 10.10.0.0 0.0.255.255 88.93.195.0 0.0.31.255 (653384 matches)
50 deny ip host 10.10.4.105 any (223625 matches)
60 deny ip host 10.10.4.104 any (436655 matches)
70 deny ip host 10.10.4.153 any (16321 matches)
80 deny ip host 10.10.4.200 any
90 deny ip host 10.10.4.210 any (302195 matches)
100 permit ip 10.10.0.0 0.0.255.255 any (22784016 matches)
110 permit ip 192.168.40.0 0.0.0.31 any

and the host IP is host 10.10.4.104

shafik.khan9 · ‎05-03-2017

Thanks for your Support ,

Here is the ACL

Extended IP access list 101
10 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.35
20 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.19 (6 matches)
30 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.33 (11386351 matches)
40 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.15 (1 match)
50 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.4 (1393 matches)
60 permit ip 10.10.0.0 0.0.255.255 10.80.9.0 0.0.0.255 (40706911 matches)
70 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.38
80 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.30
90 permit ip 10.10.0.0 0.0.255.255 host 10.80.8.48 (9706709 matches)
100 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.100
110 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.105
120 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.53
130 permit ip 10.10.0.0 0.0.255.255 host 10.80.9.101
140 permit ip host 10.10.1.1 host 10.1.11.115
150 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.25 (42793472 matches)
160 permit ip 10.10.0.0 0.0.255.255 host 10.80.0.35 (2 matches)
170 permit ip 10.10.0.0 0.0.255.255 10.80.0.0 0.0.0.3 (59474277 matches)
180 permit ip 10.10.0.0 0.0.255.255 10.81.0.0 0.0.255.255 (22288543 matches)
190 permit ip 192.168.0.0 0.0.255.255 host 10.80.9.30
200 permit ip 192.168.0.0 0.0.255.255 host 10.80.9.25
210 permit ip 192.168.0.0 0.0.255.255 host 10.80.9.26

Extended IP access list 111
10 deny ip 10.10.0.0 0.0.255.255 10.80.0.0 0.0.255.255 (74513855 matches)
20 deny ip 10.10.0.0 0.0.255.255 10.81.0.0 0.0.255.255 (9113497 matches)
30 deny ip host 10.10.1.1 host 10.1.11.115
40 permit ip 10.10.0.0 0.0.255.255 88.93.195.0 0.0.31.255 (653384 matches)
50 deny ip host 10.10.4.105 any (223625 matches)
60 deny ip host 10.10.4.104 any (436655 matches)
70 deny ip host 10.10.4.153 any (16321 matches)
80 deny ip host 10.10.4.200 any
90 deny ip host 10.10.4.210 any (302195 matches)
100 permit ip 10.10.0.0 0.0.255.255 any (22784016 matches)
110 permit ip 192.168.40.0 0.0.0.31 any

and the host IP is host 10.10.4.104

Georg Pauwen · ‎05-01-2017

Hello,

in addition to the other post, the below example would allow access to www.cisco.com only for the user with source address 192.168.1.10.

No other users would be allowded on the Internet, and user 192.168.1.10 would only be able to access that one website.

Do an 'nslookup' first to check if the website is using other IP addresses as well.

access-list 100 permit tcp host 192.168.1.10 host 23.206.89.192 eq www
!
ip nat inside source list 100 interface GigabitEthernet0 overload

Julio E. Moisa · ‎05-01-2017

Yeap that is correct,

Shafik, could you please share the ACL configuration because if you are using numbered ACL you need to move up over the deny the new ACL entry, taking the example provided by Georg you need to do the following:

ip access-list extended 100
(now you insert the sequence it can be seen using: show access-list 100)
2 permit tcp host 192.168.1.10 host 23.206.89.192 eq www

the other ACL entry could be the sequence 3, the main idea is leave the deny acl at the bottom. The IP 192.168.1.10 is the user PC.

* Take in consideration if you remove a numbered ACL, all the access-list related to that number will be removed that is the reason I suggest to use ip access-list standard/extended to modify the sequences.

Please dont forget to rate the comments if they are useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<