08-04-2016 05:56 AM - edited 03-08-2019 06:52 AM
Hello,
I have a Cisco 3800 with the below running config.
Router>
Router>
Router>
Router>
Router>ENA
Router>ENAble
Router#SH RUNN
Router#SH RUNNing-config
Building configuration...
Current configuration : 1011 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description WAN
ip address 177.69.177.* 255.255.255.128
ip nat outside
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.150.1 255.255.255.0
ip nat inside
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
negotiation auto
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 177.69.177.*
!
ip http server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
Router#
As you can see i have an access-list 1 permit any
what i am trying ot do is to keep this access-list 1 permit any but i want to block the access to one destination ip.
I tried the following
access-list 1 permit any
access-list 10 deny 130.211.14.80 0.0.0.1
I tried as well
access-list 1 deny 130.211.14.80 0.0.0.1
access-list 10 permit any
with no success.
what is the correct combination to permit everything BUT one destination which is IP 130.211.14.80??
Thx
Solved! Go to Solution.
08-04-2016 06:47 AM
Hi
dont do anything with acl 1 its your NAT acl it allows users translate to useable public ip to break out to internet from your LAN , it shouldn't be altered , basically its allowing 192.168.150.x break out
Try an extended acl and apply it to the wan interface , I presume this ip 130... is outside of local network somewhere so we are applying it in correct direction outbound yes ?
This acl says deny any ip speak to host 130.211.14.80 but also permit anything else
acls work from the most specific to the least that's how tey should be written generally
access-list 100 deny ip any host 130.211.14.80
access-list 100 permit ip any any
ip access-group 100 out
08-04-2016 06:07 AM
Hi
ACL 1 is part of your NAT overload , so blocking it there wont work , if your trying to block people accessing that host in general you need to use another acl and then apply to your interface separately in the desired direction like 2nd section acl 10 as an example
access-list 1 deny host 130.211.14.80
access-list 1 permit any --permit everything else
.................................
access-list 10 deny host 130.211.14.80
access-list 10 permit any
Interface g0/0
Ip access-group 10 out
08-04-2016 06:38 AM
Hello Mark,
Thank you for your reply.
I tried the below with no success
access-list 10 deny host 130.211.14.80
access-list 10 permit any
Interface g0/0
Ip access-group 10 out
Should i keep the access-list 1 permit any and add the above config at the interface level?
Thx
08-04-2016 06:47 AM
Hi
dont do anything with acl 1 its your NAT acl it allows users translate to useable public ip to break out to internet from your LAN , it shouldn't be altered , basically its allowing 192.168.150.x break out
Try an extended acl and apply it to the wan interface , I presume this ip 130... is outside of local network somewhere so we are applying it in correct direction outbound yes ?
This acl says deny any ip speak to host 130.211.14.80 but also permit anything else
acls work from the most specific to the least that's how tey should be written generally
access-list 100 deny ip any host 130.211.14.80
access-list 100 permit ip any any
ip access-group 100 out
08-04-2016 07:05 AM
Worked perfectly.
Thx for the help.
08-04-2016 07:07 AM
Ah that good its working now :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide