Solved: Creating ACL to block HTTP

jordan-jj · ‎06-15-2017

This is my scenario. I want to block all the host from 192.168.10.1 network to web server 192.168.20.10

How to create an acl to block http here and allow everything else.

Jon Marshall · ‎06-15-2017

Okay well 192.168.10.1 is not a network and your diagram isn't showing any other hosts.

Change the "host 192.168.10.10" to "192.168.10.0 0.0.0.255" in both the acl lines.

Note though this won't stop you being able to connect from the router itself but then you don't connect to a web server from routers normally.

Jon

View solution in original post

Jon Marshall · ‎06-15-2017

"access-list 101 deny tcp host 192.168.10.10 host 192.168.20.10 eq 80"
"access-list 101 permit ip host 192.168.10.10 any"

"int fa0/1"
"ip access-group 101 in"

the above assumes you only have two hosts and a router as per your diagram.

Jon

jordan-jj · ‎06-15-2017

I want to block all the host of 192.168.10.1 network in reaching 192.168.20.10's http

Jon Marshall · ‎06-15-2017

Okay well 192.168.10.1 is not a network and your diagram isn't showing any other hosts.

Change the "host 192.168.10.10" to "192.168.10.0 0.0.0.255" in both the acl lines.

Note though this won't stop you being able to connect from the router itself but then you don't connect to a web server from routers normally.

Jon

Craddockc · ‎06-15-2017

Jordan,

Create an extended Routed Access List (RACL) on Router 2 that reads like this:

ip access-list extended (name of ACL)

deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq http

permit ip any any

Apply the ACL to FA0/1 interface on R2 using the ip access-group (ACL Name) in command as the ACL blocking action should always be placed as close as possible to the hosts being blocked.

Joseph W. Doherty · ‎06-15-2017

Is the web server using port 80? Then what Jon is showing is what you want to do.

If you want to block HTTP, though, you need to do deep packet inspection that's not tied to a specific port or ports.