ACL blocking users from internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2008 07:29 AM - edited 03-05-2019 11:42 PM
Is there a way to block users from the internet via acl. All traffic from the site rides to a ISP router via EIGRP .The rest of the corporation is reached via EIGRP thru the ISP router. Web traffic rides to the same router via a default static route . Is there a way to block the users from riding the default static route to the internet without breaking there access to anywhere else via EIGRP . Will something like this work?
deny ip 192.168.1.5 0.0.0.0 0.0.0.0 0.0.0.0
permit ip any any
- Labels:
-
Other Switching

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2008 07:43 AM
Are you trying to deny your local users the ability to get to websites, but still be able to communicate with your offsite company?
This will restrict http and https connections, but could also restrict http/s communications to your offsite company.
If you give us a little more information, we might be able to help further.
deny tcp 192.168.1.5 0.0.0.0 any eq 80 443
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2008 07:46 AM
That is correct , strictly internet web but they must still be able to get to the rest of the company which has web applications. They get to the web via the default static route 0.0.0.0 0.0.0.0 .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2008 07:52 AM
In that case, depending on the number of web applications you have a few choices.
1) permit the destination IP addresses for the offsite company's web applications, and deny all others.
permit tcp any host
deny tcp any any eq 80 443
permit ip any any
2) use DNS to control the forward lookup of your client computers. this step is a bit more advanced, but depending on the number of entrys you have to make, this could be an option.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2008 07:55 AM
How about something like this?
permit tcp [local corp network] [remote corp networks] eq 80
permit tcp [local corp network] [remote corp networks] eq 443
deny tcp [local corp network] any eq 80
deny tcp [local corp network] any eq 443
UPDATE: Sorry Jason, you beat me to it.
