Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking clients from accessing certain IP addresses/ranges

Status
Not open for further replies.
alura

alura

Technical User
Jun 23, 2003
28
US
Hi, I have a Cisco 1720 router, and I'm looking to block my internal clients from accessing certain IP addresses (such as AOL instant messenger and yahoo messenger). I have done very little work with ACLs, I am assuming this is the way to do it. Here is an excerpt from my config file:

!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.200.2 255.255.255.0
ip access-group 100 in
no ip directed-broadcast
ip nat inside
ip inspect FastEthernet_0 in
no cdp enable
!
router rip
version 2
passive-interface Serial0
network 192.168.200.0
no auto-summary
!
ip nat pool GBT_1720-natpool-0 64.9.11.141 64.9.11.141 netmask 255.255.255.252
ip nat inside source list 1 pool GBT_1720-natpool-0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 3 permit 68.32.207.246
access-list 3 permit 207.155.252.47
access-list 3 permit 207.155.248.12
access-list 3 permit 207.155.248.4
access-list 3 permit 207.155.248.7
access-list 3 permit 68.85.114.204
access-list 3 permit 207.155.252.18
access-list 3 permit 207.155.252.72
access-list 3 permit any
access-list 100 permit ip any any
access-list 101 permit icmp any any
no cdp run

Thanks for any help anyone can give me.
 
Sort by date Sort by votes
Use the access list 100, easiest way is as follows:

enter the following in notepad:

no access-list 100 permit ip any any
access-list 100 permit ip 2.3.4.0 0.0.0.255 any

Remember the following for ACL's

The list is processed top down, when the 1st match is found no more processing takes place.

There is an implicit deny at the end, if there is no match in the list the packet gets dropped.

In the extended list example above the first IP is the source, the second is the destination. Aslo not the direction the list works in, this is specified by the command that applies the list to the Interface. In your router thats under F0/0:
ip access-group 100 in

The mask is inverted, so a class c range is 0.0.0.255 which means match the first 3 octets, ignore the last.

Finally an individual address can be proceded by a host keyword.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
791
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
590
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
655
Johnkite
Johnkite
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
251
hairlessupportmonkey
hairlessupportmonkey
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
189
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top