Re: ACL blocking users from internet

glen.grant · ‎06-18-2008

Is there a way to block users from the internet via acl. All traffic from the site rides to a ISP router via EIGRP .The rest of the corporation is reached via EIGRP thru the ISP router. Web traffic rides to the same router via a default static route . Is there a way to block the users from riding the default static route to the internet without breaking there access to anywhere else via EIGRP . Will something like this work?

deny ip 192.168.1.5 0.0.0.0 0.0.0.0 0.0.0.0

permit ip any any

Jason Fraioli · ‎06-18-2008

Are you trying to deny your local users the ability to get to websites, but still be able to communicate with your offsite company?

This will restrict http and https connections, but could also restrict http/s communications to your offsite company.

If you give us a little more information, we might be able to help further.

deny tcp 192.168.1.5 0.0.0.0 any eq 80 443

glen.grant · ‎06-18-2008

That is correct , strictly internet web but they must still be able to get to the rest of the company which has web applications. They get to the web via the default static route 0.0.0.0 0.0.0.0 .

Jason Fraioli · ‎06-18-2008

In that case, depending on the number of web applications you have a few choices.

1) permit the destination IP addresses for the offsite company's web applications, and deny all others.

permit tcp any host eq 80 443

deny tcp any any eq 80 443

permit ip any any

2) use DNS to control the forward lookup of your client computers. this step is a bit more advanced, but depending on the number of entrys you have to make, this could be an option.

Collin Clark · ‎06-18-2008

How about something like this?

permit tcp [local corp network] [remote corp networks] eq 80

permit tcp [local corp network] [remote corp networks] eq 443

deny tcp [local corp network] any eq 80

deny tcp [local corp network] any eq 443

UPDATE: Sorry Jason, you beat me to it.