block internet access 1

[noypi]

hello!

hope someone can help me with the following:
1. block internet access for this ip ranges 192.168.0.0 - 192.168.0.100
2. block internet access for this ip only 192.168.0.65

here's my 1720 config:

interface Ethernet0
ip address 192.168.0.240 255.255.255.0 secondary
ip address 192.168.0.239 255.255.255.0
no ip directed-broadcast
ip policy route-map Voice
load-interval 30
!
interface Serial0
no ip address
!
interface Serial0.100 point-to-point
ip address 192.168.9.253 255.255.255.252
ip accounting output-packets
frame-relay interface-dlci 100
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.100
ip route 192.168.2.0 255.255.255.0 192.168.0.254
access-list 134 permit ip host 192.168.0.253 any
access-list 134 permit ip host 192.168.0.252 any
access-list 150 permit ip any any
priority-list 1 protocol ip high list 150
priority-list 1 default low
priority-list 1 queue-limit 400 500 600 800
route-map Voice permit 10
match ip address 134
set ip precedence flash

thanks
noypi

 

[andysk]

issues:
in configuration mode (for access-list):
ip access-list extended name-of-group
deny ip host 192.168.0.65 any
deny ip 192.168.0.0 0.0.0.156 (i forgot about netmask) any
permit ip any any


in configuration mode (for applying in Ethernet port)
Int e0
ip access-group name-of-group in

Hope think can help.

 

[noypi]

i tried your config. but still doesn't work.

thanks.

 

[lvennard]

Although i think andy's config is correct, there are dozens of ways to do an access list. NOYPI, without a diplay of the messages, we are unable to see what went wrong with that list, so lets do it the hard way. this should get it for sure..... as long as you are positive this is the internet router and there are no proxy servers out there.

DO NOT do 192.168.0.0, this is your network.

Im using the old access list method, incase your ios doesnt support named access lists.

FINISH THIS LIST, then paste it in.

access-list 10 deny 192.168.0.1
access-list 10 deny 192.168.0.2
....<Finish this>.....
access-list 10 deny 192.168.0.99
access-list 10 deny 192.168.0.100

interface Serial0.100
ip access-group 10 out

 

[noypi]

thanks lvennard it works with the following config.

access-list 10 deny tcp any any eq www
access-list 10 permit ip any any

interface Serial0.100
ip access-group 10 out

rgds
noypi

 

[paulk29]

Noypi,
your last post blocks anyone on your LAN from accessing the internet. My adivce would be the following;

access-list 101 deny tcp 192.168.0.1 0.0.0.0 any eq www
.
.
.
.
access-list 101 deny tcp 192.168.0.100 0.0.0.0 any eq www
access-list 101 permit ip any any

int s0.100
ip access-group 101


I'm not 100% but maybe this can all be done on one line using 0.0.0.x where x marks the range 192.168.0.1>100
Must read up on my access lists.
Best of luck
Paul

Paul Kilcoyne B eng. CCNA

 

[noypi]

thanks paul, you gave me an idea. here's now my config.

interface Serial0.100
ip access-group 10 out

access-list 101 permit tcp 192.168.0.250 0.0.0.0 any eq www
access-list 101 permit tcp 192.168.0.252 0.0.0.0 any eq www
access-list 101 deny tcp any any eq www
access-list 101 permit ip any any

i gave access to some ip's and block the rest and it worked.
thanks again Paul, lvennard & andysk for your help.
noypi

 

[paulk29]

noypi,
Yes that looks much better. Glad to be able to point you in the right direction.
Slán
Paul

Paul Kilcoyne B eng. CCNA

 

[clahnum]

All access lists start out with the term access-list followed by the group number of the access list. IP extended access lists are numbered from 100 to 199. The next term in an access list is permit or deny. The next term is the protocol the access list statement deals with. Next is the source address and wildcard mask and destination address and wildcard mask. A wildcard mask is a backwards subnet mask where, when you convert the mask to binary, the &quot;1&quot; bits represent the bit positions in the address to ignore. Maybe I should show you an IP address with a wildcard mask:

192.168.45.121 0.0.0.255

The 255 in the last octet of the wildcard mask tells the access list to ignore the last 8 bits of the ip address. So this means that any number in the last octet would be acceptable by the access list.

So here's a simple IP extended access list:

access-list 100 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

The above line allows the 172.16 network to reach the 172.17 network using IP. If you want to be permissive and allow everybody you can substitute the word any for the IP address. Say we want to allow all clients to reach a certain network:

access-list 175 permit ip any 172.28.2.0 0.0.0.255

You can also specify a specific host in your list by using the word host. Access lists are processed from top down so be careful about the order in which your statements appear. When you are writing an access list for TCP you can append the port number or service on the end of your list by using the equal or eq keyword:

access-list 121 permit tcp any host 172.22.230.2 eq www

The above list allows anybody to access the web server at 172.22.230.2

To apply your access list you go to the interface and use the ip access-group command and specify the direction you want the filtering to take place:

ip access-group 121 in

Remember the access-list and access-group commands must use the same number for it to work.

 

[kerpow]

Good thread. I'm studying access lists at the moment and your explanation is much better than the one in the book I'm studying.

Out of curiousity, is there no other way to block a range of addresses on a single subnet other than adding an entry for each address in the list? Could you not just add a few entries with more specific wildcards.

Maybe:

access-list 101 deny tcp 192.168.0.1 0.0.0.63 any eq www
access-list 101 deny tcp 192.168.0.65 0.0.0.31 any eq www
access-list 101 deny tcp 192.168.0.97 0.0.0.3 any eq www
access-list 101 deny tcp 192.168.0.100 0.0.0.0 any eq www

Or would that block the whole network as it would include 192.168.0.0. Just a thought from a curious student



&quot;Very funny Scotty, now beam my clothes down aswell&quot;.

 

[tschouten]

<<Or would that block the whole network as it would include 192.168.0.0. Just a thought from a curious student >>

Absolutely!!!! That is the whole purpose of that wildcard mask! It is there to give you more flexability.

 

[kerpow]

<That is the whole purpose of that wildcard mask! It is there to give you more flexability.>

Perhaps I don't fully understand the concept of the Wildcard Mask but it all it seems to do is define a single address or an entire subnet. That doesn't sound very flexible to me.

&quot;Very funny Scotty, now beam my clothes down aswell&quot;.

 

[tschouten]

I'm going to use a long way of explaining this so you understand TCP/IP subnetting a little better as well.

Ok, think of it like this CIDR (Classless Inter Domain Routing) allows you to take a specific chunk of Classful addresses and limit them to a smaller subnet than the original Clasfull ones. This is allowing you to break up a class B address into multiple Class C addresses(note can be used on any class of addresses). Which allows for conservation of your address space.

For example take the Address 10.3.1.1 255.255.0.0. Let us say you want only 14 viable addresses from this block, but want to use the rest for other devices. Hmmmmm, lets use CIDR, 10.3.1.1 255.255.255.240 is the new subnet value. What does that give us? 10.3.1.1 to 10.3.1.14 valid range,
10.3.1.15 broadcast range. Or another way to think of the bit value in the subnet mask would be nnnnnnnn.nnnnnnnn.nnnnnnnn.nnnnhhhh
n=network h=host

Hopefully that helps you understand things a little bit. Moving on to the Wildcard Mask, it works in exactly the same fashion as a subnet mask. However, it is reversed when compared to a subnet mask Say that you wanted to block everything except for 1-14 addresses using the address block of 10.3.1.1 255.255.0.0. What would that look like?

access-list 10 permit 10.3.1.0 0.0.0.240

Remember there is an implicit deny at the end of every access-list. The 0=match, you basically said match.match.match.1-14

I hope I made sense, and didn't confuse anyone(or get anything wrong here). It happens from time to time.

 

[kerpow]

1. OK, am with you for the subnetted network. 10.1.3.0/28 14 hosts on the netweork, mask is 255.255.255.240 etc

2. But still not quite so clear with the wildcard. Lets just use Standard Access Lists to simplify. With the example:

Access list 1 permit 10.1.3.0 0.0.0.240

That will allow any of the addresses on the above network access and block everything else. 10.1.4.7 will be blocked because there would not be a macth in the 3rd octet. 10.1.3.17 would not have access as there is no match in the fourth octet.

3. Let me see if I can do the opposite. Say you want to block everything on the network we have specified but grant access to everything else.

deny 10.1.3.0 0.0.0.240
permit ip any any

Is that right?

4. I think what had me confused is the concept of using the Network ID rather than just a single IP address. The router will instantly know that 10.1.3.9 is in the 10.1.3.0 network so it matches it up.

(Thanks for all the help btw, some things can seem as clear as mud until the penny drops and is usually much better explained like this than trying to grasp it all just by reading a book)




&quot;Very funny Scotty, now beam my clothes down aswell&quot;.

 

[tschouten]

That would be right, trust me I completely know what you mean. I struggled with Subnetting for quite some time, I mean I understood how to find the subnet I was looking for and figure out the math and what not. However, understanding it was a totaly different thing. It was all the sudden poof, ahhhhhhhhhhhhhh now I get it! I liken it to yoga and zen moments!