Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1698
Views
0
Helpful
8
Replies

IP access list Filtering

Go to solution
abdelnour.moussaoui
Level 1
Level 1

‎11-10-2015 01:06 AM - edited ‎03-08-2019 02:38 AM

Hello, 

I have a 1921 ISR, i have created an extendend access list to prevent a local host to access to the internet by denying TCP connections to ports 80 and 443, so at the first time when i apply it to my interface, in fact it works (host cannot access to the internet and i can see that there is an increment matches packets), but after a while i noticed that the local host can gain access to the internet, it seems no longer packets are matched my access list that i have created. so please could someone explain to me how this happen. any help is greatly approciated.

this is my access list :

-----------------------------------------------------------

ip access list extendend VLAN_20

10 deny tcp host 10.10.20.3 any eq www

20 deny tcp host 10.10.20.3 any eq 443

permit ip any any

------------------------------------------------------------

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Atul Choudhary
Level 1
Level 1

‎11-10-2015 03:38 AM

Hi,

There is only one possible reason for this issue and that is: Users are not accessing internet using port 80 and 443.

This is possible when hosts are using some kind proxy which generally works on random ports like 9090,8080,8000,9000 etc. In this scenerio, I would suggest you to allow specific traffic i.e required and deny all other traffic. Please let me know if it helps.

Thanks

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎11-10-2015 01:30 AM

he hasnt coped on and started using a proxy instead did you check his local pc he may have done something locally to bypass the rules its very unlikely an acl just stopped working

0 Helpful

Go to solution
Atul Choudhary
Level 1
Level 1

‎11-10-2015 03:38 AM

Hi,

There is only one possible reason for this issue and that is: Users are not accessing internet using port 80 and 443.

This is possible when hosts are using some kind proxy which generally works on random ports like 9090,8080,8000,9000 etc. In this scenerio, I would suggest you to allow specific traffic i.e required and deny all other traffic. Please let me know if it helps.

Thanks

0 Helpful

Go to solution
abdelnour.moussaoui
Level 1
Level 1
In response to Atul Choudhary

‎11-10-2015 05:30 AM

Hello Atul

actually, it seems you are right, i have changed my access list, i permit TCP connections to ports 80 and 443 and deny all ohter ports, so my computer cannot access to the internet. just to inform you i am not using any proxy server, my host is configured as follows : 

------------------------------------------------

ip address : 10.10.20.3/29

gateway :  10.10.20.1

primary DNS server : 10.10.20.2 it is my domain server for active directory

seconday DNS server : 8.8.8.8

-------------------------------------------------

Thanks

0 Helpful

Go to solution
Atul Choudhary
Level 1
Level 1
In response to abdelnour.moussaoui

‎11-10-2015 05:57 AM

Hi, I would request configuration that you have done. You may need to allow traffic for your AD as well. It works on different port.

Just to avoid any confusion, I would like to give you a sample config.

Suppose 1.1.1.7/24 is your ip address and 1.1.1.8/24 is AD. Gateway: 1.1.1.1. So access-list that you need to apply will be as

ip access list extendend VLAN_20

10 permit ip host 1.1.1.7 any

20 permit ip host 1.1.1.8 any

Allow specific ip for other user that they require.

.

.

100 deny ip any any

exit

Thanks

0 Helpful

Go to solution
abdelnour.moussaoui
Level 1
Level 1
In response to Atul Choudhary

‎11-11-2015 02:39 AM

Hello, 

based on what i did and and what you suggested, i think that IP access list is not an accurate methode to prevent users to access to the internet. in fact, i was trying to prevent users to access to some websites such as youtube...etc, however i have found that IP access list is not useful for this, so i tryed to prevent them from using any kind of web services (blocking ports 80, 443) but it did not work properly. what do you think?

Best regards

 

0 Helpful

Go to solution
Atul Choudhary
Level 1
Level 1
In response to abdelnour.moussaoui

‎11-11-2015 04:27 AM

Firewall should be used for traffic filtering but as firewall is not present in this scenario. So, IP Access-list is the only option to block traffic.

But if you have some specific websites that you need to block, then you can route those websites to null0. This is not recommended as it hits CPU of device if traffic will be very high.

Thanks

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to abdelnour.moussaoui

‎11-11-2015 04:34 AM

if your router supports cbac it will work by url

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

0 Helpful

Go to solution
paul driver
VIP
VIP

‎11-10-2015 04:54 AM

Hello

Has the host changed its ip addressing?

res
paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card