Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
34928
Views
36
Helpful
10
Replies

ACL to allow only internet

intellibeam
Level 1
Level 1

‎07-14-2016 07:07 AM - edited ‎03-08-2019 06:38 AM

Newbie here,

Here is my ACL:

ip access-list extended 192_Guest in
deny ip host 192.168.1.235 10.0.0.0 0.0.0.255
deny ip host 192.168.1.235 172.16.0.0 0.15.255.255
deny ip host 192.168.1.235 192.168.0.0 0.0.0.255
permit ip any any

 I need to only allow internet to  192.168.1.235.  

I have applied it to VLAN 192, which is 192.168.1.0/24 subnet. VLAN interface IP is 192.168.1.26/24

Pc in question is blocked from 192.168.1.26 but can see everything else.

Any ideas as to what I am missing ?

Labels:
0 Helpful
10 Replies 10

Mark Malone
VIP Alumni
VIP Alumni

‎07-14-2016 08:14 AM

If your trying to block users getting to websites you need the eq 80 for http at the end of the extended acls line and probably 443 for https as well as most sites use that now

ip access-list extended 192_Guest in
deny ip host 192.168.1.235 10.0.0.0 0.0.0.255 eq 80

examples in below doc

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc14

hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any any eq 20

intellibeam
Level 1
Level 1
In response to Mark Malone

‎07-14-2016 08:19 AM

We want users to get to internet, but block access to internal network.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to intellibeam

‎07-14-2016 08:30 AM

so users on different vlans cant talk to each other is that correct , the acl above only stops one host from speaking to those specific  subnets and permits all other traffic

to block vlans speaking between each other you need to block subnet to subnet and then apply it in both directions on each vlan interface and leave the permit ip any any so they can still break out to the internet

something like below as example or you can use the extended method above either

access-list 147 deny ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 147 deny ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255

intellibeam
Level 1
Level 1
In response to Mark Malone

‎07-14-2016 11:15 AM

Sorry, I don't think I described issue that great.

I just want to block pc with IP 192.168.1.235 from getting to any other vlans or anything internal. I only want pc  to be able to get to internet.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to intellibeam

‎07-15-2016 12:55 AM

oh ok sorry miss understood , that's not far off then also do the reverse as well though and apply the acl in and out under  the vlan 192 , currently its saying deny host 192.. to 10..../24 and deny to 192... to 172.16 ../20  , when the reverse is there as well let me know if that's working for you

ip access-list extended 192_Guest in
 deny ip host 192.168.1.235 10.0.0.0 0.0.0.255
 deny ip host 192.168.1.235 172.16.0.0 0.15.255.255
 deny ip host 192.168.1.235 192.168.0.0 0.0.0.255
 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.235
 deny ip 10.0.0.0 0.0.0.255 host 192.168.1.235
 deny ip 172.16.0.0 0.15.255.255 host 192.168.1.235
 permit ip host 192.168.1.235 any
 permit ip any any

int vlan 192
ip access-group 192 in
ip access-group 192 out

0 Helpful

intellibeam
Level 1
Level 1
In response to Mark Malone

‎07-15-2016 10:33 AM

Thanks for the reply, I am going to give this a shot after production hours this afternoon and I will let you know how I made out.

Thanks

0 Helpful

intellibeam
Level 1
Level 1
In response to intellibeam

‎07-15-2016 02:49 PM

Unfortunately, that didn't work. 

0 Helpful

Amit Goyal
Level 1
Level 1
In response to intellibeam

‎07-17-2016 09:15 PM

Hi,

"Unfortunately, that didn't work." Please elaborate more. What exactly have failed after applying this ACL?

i just modified third seq of the ACL as per below.

ip access-list extended 192_168_1_235
 deny ip host 192.168.1.235 10.0.0.0 0.255.255.255
 deny ip host 192.168.1.235 172.16.0.0 0.15.255.255
 deny ip host 192.168.1.235 192.168.0.0 0.0.255.255
 permit ip any any

int vlan 192
ip access-group 192_168_1_235 in

With this ACL in place 192.168.1.235 can still talk to PCs in its own subnet since traffic between them will be L2 switched and it will never hit this ACL.

HTH

-Amit

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to Amit Goyal

‎07-19-2016 07:15 AM

Hi Amit, Layer based restriction can't be achieved with above approach which are been highlighted, Those will be a help if you want to communicate over L3 to different subnet , if traffic originate from source 192.168.1.235 In order to get Layer 2 based restriction, You need to apply VLAN based ACL on specific VLAN. Have a look on the below link with step by step approach to black a traffic inside a VLAN. https://networklessons.com/cisco/ccie-routing-switching/vlan-access-list-vacl/ Hope it Helps.. -GI

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to intellibeam

‎07-16-2016 07:46 AM

Hi ,

If I understand correctly , You want only 192.168.1.235 to talk to internet and not to any internal subnet. If yes try apply below ACL .

ip access-list extended 192_168_1_235
 deny ip host 192.168.1.235 10.0.0.0 0.255.255.255
 deny ip host 192.168.1.235 172.16.0.0 0.15.255.255
 deny ip host 192.168.1.235 192.168.0.0 0.0.0.255
 permit ip any any

int vlan 192
ip access-group 192_168_1_235 in

Hope it Helps..

-GI

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card