Access List???? 2

[Eagle0107]

I am not even sure this is the right place for this question but I am going to ask it anyhow. Let me start by saying I am not all that familiar with the Cisco IOS but I have a Cisco 3640 running IOS 12.4.

I assume the way to do what I want is with an Access list but I am not sure. What I am trying to do is block a specific IP address at the router..... For example, there are a couple of Class A blocks I want to block all together as well as a couple of C Blocks and a few specifi IP Addresses.

Do I do this with Access lists? Could someone point me in the right direction??

Thanks -- Eagle

 

[burtsbees]

Yes...here's more info...

http://www.youtube.com/watch?v=OyKWWLsxk0s&feature=active_sharing

Burt

 

[burtsbees]

Ignore that...sorry

http://www.delmar.edu/Courses/ITSC1391/Sem3/6ACLs.htm

If you want more specific details, please provide your exact requirements.

Burt

 

[Eagle0107]

Thanks Burt, I can only assume from your first response that this that, to you, this was a stupid question, and I am sure it probably is but, I am not a programmer nor am I knowledgable of Cisco OS.

I have an internal firewall that really does all my security and the cisco just does it thing.... What I want to do however is stop some of the traffic at the cisco so it does not even get to my firewall.

Basically I want to stop a specific set of Class A addresses and a few Class Cs that seem to be a royal pain and have no legitimate traffic coming from them. For example, looking at the information you provided I would have the following added to my config:

access-list 101 deny IP 0.0.0.0 255.255.255.255 58.0.0.0 0.0.0.255
access-list 102 deny IP 0.0.0.0 255.255.255.255 59.0.0.0 0.0.0.255
access-list 103 deny IP 0.0.0.0 255.255.255.255 60.123.0.0 0.0.255.255

and so forth.... Am I on the right track here??

Thanks - Eagle

 

[burtsbees]

Yes, that is exactly it. My first post was an honest mistake---I hit ctrl-v without copying the right link first, which is why that first link got posted. It is funny though, I think.
Actually, I am not a programmer---I just play one in Tek-Tips...lol.
On a serious note---one thing to keep in mind about access-lists is that once a statement is put into the router, whether it be permit or deny, then at the end of the list there is an implicit "deny any" statement that is automatically put in. So, at the end, you must put
access-list 101 permit ip any any\
Also, you do not need multiple access-lists, especially if you plan to put them on the same interface...like acl 102, acl 103---you can put all the same entries under the same acl number.
One more thing---be sure to know how to apply the acl---on the interface facing the outside, let's say interface fastethernet 0/1 for example, it would look like this...
router(config)#int fa0/1
router(config-if)#ip access-group 101 in
like that. Be sure to save the configuration...
router#copy run start

Burt

 

[lgarner]

You are on the right track. I'd set it up like this:

access-list 101 deny ip 58.0.0.0 0.0.0.255 any
access-list 101 deny ip 59.0.0.0 0.0.0.255 any
access-list 101 deny ip 60.123.0.0 0.0.255.255 any
access-list 101 permit ip any any

Then, in the outside interface configuration (like burtsbees pointed out):
ip access-group 101 in

The last line in the ACL is to override the implicit "deny ip any any" that's at the end.

ACLs are processed sequentially from top to bottom. The first rule that matches, whether it's "permit" or "deny", is used and all others are ignored.

 

[Eagle0107]

Thanks Burt and lgarner,

I think I have it. I will do some testing this evening with a backup router I have to make sure all is well.

Thanks again -- Eagle

 

[Eagle0107]

OK, I attempted to implement an access list this weekend and I can still see some of the IP addresses I am blocking reaching my mail server inside.
Here is what I did:

1) Created an acces-list as follows in the base router config.

access-list 101 deny ip 58.0.0.0 0.0.0.255 any
Some more IPs

ended access-list with....

access-list 101 permit any any

2) Then entered the following for serial0/0 (my internet connection)

ip access-group 101 in

Based on the information I received here and some additional information I have reviewed this should work, or so I thought... Like I said I can still see some of the ip addresses that are supposed to be denied at the serial interface are still reaching an mail server inside the router.

Any thoughts as to what I might be doing wrong??

Thanks Eagle

 

[burtsbees]

access-list 101 deny tcp x.x.x.x x.x.x.x any eq (port number your mail server uses)
access-list 101 permit ip any any
apply inbound to the outgoing interface
If your mail server uses a port other tha 25, make sure it is properly reflected...
router# sh ip port-map
router#conf t
router(config)#ip port-map smtp port xxxx
Do this only if "sh ip port-map" shows something different for smtp. This can only happen if the IOS you have supports PAM/CBAC.

Burt

 

[Eagle0107]

I am using IOS 12.4 currently. As for SMTP I am only using 25. I thought the idea of using ip vs tcp was that the router would reject ALL inbound traffic from the ip address ranges in the access-list.

Thanks -- Eagle

 

[NetworksMD]

Are you actually trying to block the network 58.0.0.X with the 58.0.0 being the network and the X being the hosts between 1 and 254? If you are truly trying to block the whole Class A your inverse mask or wild card bits will need to be 0.255.255.255. I am guessing you are seeing 58.34.22.X. This will block the entire network range of 58.0.0.0 (Network) to 58.255.255.255 (Broadcast).