Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
5
Replies

Deny local IP to inside network but allow to internet

Go to solution
Michael Turner
Level 1
Level 1

‎05-24-2017 09:09 AM - edited ‎03-08-2019 10:42 AM

I need to deny 10.14.80.XX to the inside network 10.0.0.0 but allowed to the internet.

I believe I would use an ACL.  Most of my acl deny internet access.

I thinks it would be something like:

access-list 101 deny 10.14.80.0 0.255.255.255 any 10.0.0.0 0.0.0.255

** Last Line of my ACL **

access-list 199 permit ip any any

I have a few other ACL that allow to DHCP, DNS, Email locally.

Thanks in advance 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP
VIP
In response to Michael Turner

‎05-24-2017 10:19 AM

Ok perfect, well the ACLs are read from Top to the Bottom, so you could have configured:

ip access-list extended LAB
permit udp any any eq 67    <--- used for DHCP
permit udp any any eq 68    <--- used for DHCP
permit ip any any eq 53       <--- used for DNS
permit tcp host 10.15.3.x any eq 80
permit tcp host 10.15.3.x any eq 443
permit tcp host 10.15.15.x any eq 80
permit tcp host 10.15.15.x any eq 443
deny ip host 10.15.3.x any
deny ip host 10.15.15.x any
permit ip any any 

interface g0/0
ip access-group LAB out

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio E. Moisa
VIP
VIP

‎05-24-2017 09:23 AM

Hi Michael,

Could you please provide more information about the question? Please correct me but I understand that you want to block just the host 10.14.80.x and still allowing the /24. You can use ACLs

ip access-list extended TEST
deny ip host 10.14.80.X any
permit ip any any. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Michael Turner
Level 1
Level 1
In response to Julio E. Moisa

‎05-24-2017 09:31 AM

I have school at another location with a lab.  They will be using the computers for a cyber patriot class.  They do not need access to the network for anything but dhcp and dns. Those address are 10.15.3.x and 10.15.15.x.  They will not be in AD.  They just need internet and filtering. 

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to Michael Turner

‎05-24-2017 09:51 AM

Thank you for the explanation, where are you planning to install the ACL, for a NAT or just under a interface?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Michael Turner
Level 1
Level 1
In response to Julio E. Moisa

‎05-24-2017 10:13 AM

Under the interface. I will let the firewall handle the NAT.  

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to Michael Turner

‎05-24-2017 10:19 AM

Ok perfect, well the ACLs are read from Top to the Bottom, so you could have configured:

ip access-list extended LAB
permit udp any any eq 67    <--- used for DHCP
permit udp any any eq 68    <--- used for DHCP
permit ip any any eq 53       <--- used for DNS
permit tcp host 10.15.3.x any eq 80
permit tcp host 10.15.3.x any eq 443
permit tcp host 10.15.15.x any eq 80
permit tcp host 10.15.15.x any eq 443
deny ip host 10.15.3.x any
deny ip host 10.15.15.x any
permit ip any any 

interface g0/0
ip access-group LAB out

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card