Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
39993
Views
15
Helpful
5
Replies

Creating ACL to block HTTP

Go to solution
jordan-jj
Level 1
Level 1

‎06-15-2017 11:47 AM - edited ‎03-08-2019 10:59 AM

This is  my scenario. I want to  block all the host from 192.168.10.1 network  to web server 192.168.20.10

 

How to create an acl to block http here and allow everything else.

5 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jordan-jj

‎06-15-2017 12:03 PM

Okay well 192.168.10.1 is not a network and your diagram isn't showing any other hosts.

Change the "host 192.168.10.10"  to "192.168.10.0 0.0.0.255" in both the acl lines.

Note though this won't stop you being able to connect from the router itself but then you don't connect to a web server from routers normally.

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-15-2017 11:54 AM

"access-list 101 deny tcp host 192.168.10.10 host 192.168.20.10 eq 80"
"access-list 101 permit ip host 192.168.10.10 any"

"int fa0/1"
"ip access-group 101 in"

the above assumes you only have two hosts and a router as per your diagram.

Jon

Go to solution
jordan-jj
Level 1
Level 1
In response to Jon Marshall

‎06-15-2017 12:03 PM

I want to block all the host of 192.168.10.1 network in reaching 192.168.20.10's  http 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jordan-jj

‎06-15-2017 12:03 PM

Okay well 192.168.10.1 is not a network and your diagram isn't showing any other hosts.

Change the "host 192.168.10.10"  to "192.168.10.0 0.0.0.255" in both the acl lines.

Note though this won't stop you being able to connect from the router itself but then you don't connect to a web server from routers normally.

Jon

0 Helpful

Go to solution
Craddockc
Level 3
Level 3

‎06-15-2017 12:00 PM

Jordan,

Create an extended Routed Access List (RACL) on Router 2 that reads like this:

ip access-list extended (name of ACL)

deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq http

permit ip any any

Apply the ACL to FA0/1 interface on R2 using the ip access-group (ACL Name) in command  as the ACL blocking action should always be placed as close as possible to the hosts being blocked. 

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-15-2017 01:28 PM

Is the web server using port 80?  Then what Jon is showing is what you want to do.

If you want to block HTTP, though, you need to do deep packet inspection that's not tied to a specific port or ports.

Top