- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 11:47 AM - edited 03-08-2019 10:59 AM
This is my scenario. I want to block all the host from 192.168.10.1 network to web server 192.168.20.10
How to create an acl to block http here and allow everything else.
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 12:03 PM
Okay well 192.168.10.1 is not a network and your diagram isn't showing any other hosts.
Change the "host 192.168.10.10" to "192.168.10.0 0.0.0.255" in both the acl lines.
Note though this won't stop you being able to connect from the router itself but then you don't connect to a web server from routers normally.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 11:54 AM
"access-list 101 deny tcp host 192.168.10.10 host 192.168.20.10 eq 80"
"access-list 101 permit ip host 192.168.10.10 any"
"int fa0/1"
"ip access-group 101 in"
the above assumes you only have two hosts and a router as per your diagram.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 12:03 PM
I want to block all the host of 192.168.10.1 network in reaching 192.168.20.10's http
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 12:03 PM
Okay well 192.168.10.1 is not a network and your diagram isn't showing any other hosts.
Change the "host 192.168.10.10" to "192.168.10.0 0.0.0.255" in both the acl lines.
Note though this won't stop you being able to connect from the router itself but then you don't connect to a web server from routers normally.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 12:00 PM
Jordan,
Create an extended Routed Access List (RACL) on Router 2 that reads like this:
ip access-list extended (name of ACL)
deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq http
permit ip any any
Apply the ACL to FA0/1 interface on R2 using the ip access-group (ACL Name) in command as the ACL blocking action should always be placed as close as possible to the hosts being blocked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2017 01:28 PM
Is the web server using port 80? Then what Jon is showing is what you want to do.
If you want to block HTTP, though, you need to do deep packet inspection that's not tied to a specific port or ports.
