Access-lists

[RadioX]

I want to set up an ACL that will block all traffic from getting into my network but not block traffic going out. For example I have a class c address of 192.168.10.0 255.255.255.0

I want to block all traffic from comming into this class C but I still want my users to be able to get on the internet and get email etc. What is an example ACL that I would use to do this.

Thanks
Ron

 

[ChrisAC]

If all you have behind your router is a private address range then no one can come into your network anyway. You can't route to a 192.168.10.x address! If you are hosting servers or something then that would be a different matter, but you only mention your 192 network. For example, if you had a machine behind your router with the IP address 192.168.10.5, and I wanted to port scan it, I couldn't do it from the internet. I would only be able to see the live IP address of your router and that's it.

Have a look at Shields Up and see what it can find.

http://grc.com/default.htm

I'm on a 192 network behind a Cisco router doing NAT and all a port scan found open was the telnet server on my router, which I know about anyway.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[RadioX]

Yea thats the thing I am on a public set of ips and need to stay that way I ws using the 192 for an example

 

[ChrisAC]

Right! Well, you shouldn't be using public IP's on a private network then. It's a horrific waste of valuable IP addresses. You should really use private IP's behind a NAT device.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[swj38]

Hi Ron,

Chris makes a good point about using public addresses inside your network. However, if you want to put an acl up for you existing setup you can use a standard ACL:

router-config#access-list 10 deny 0.0.0.0 255.255.255.255

or

router-config#access-list 10 deny any

This will stop any traffic coming in if you plac it correctly, go to your outward facing port and user:

config-int#access-group 10 in

Hey presto all inbound traffic is denied apart from established connections.

Hope this helps

Steve

 

[RadioX]

Steve,

Thanks for the config. But wont this block all traffic. I only want to block traffic to a specific class C. I actually have 4 class C's routed down this line. The other three are public websites.

I also understand what Chris is saying about private address and I would use them if I could but for reasons that I cannot explain here I have to use these public addresses.

Thanks for your help
Ron

 

[swj38]

Ron,

No problem, this can be done with a standard list to. If you want to block only one address use:

router-config#access-list 10 permit any established
router-config#access-list 10 deny 192.168.10.0 0.0.0.255
Router-config#access-list 10 permit any

If you place this on the inbound interface it should stop any non-established traffic entering but smtp and http will be let in if the user has requested it.

Steve