Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

blocking web traffic

Status
Not open for further replies.

mojo2002

Technical User
Dec 2, 2002
27
GB
We operate a central POP router with 50+ remote sites using mainly ISDN and serial.

I wish to block web traffic over these lines to stop users accessing the internet over there local browser.

I previously tried the following:

access-list 101 deny tcp any any eq www

This resulted in the interface blocking all traffic? I would have thought it would just block traffic using port 80?


I am about to try this tonight, 40.10 is our proxy server.
access-list 101 deny tcp any 192.168.40.10 0.0.0.0 eq ftp eq ftp-data

Will the above block all web ftp and ftp traffic?

Thanks,
steven
 
Did you forget the Implicit Deny at the end of any access list? You will need to add a access-list 101 permit ip any any so it will not block all other traffic....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Crash, bang, wallop...

Thanks for that, simple things confuse simple minds.
 
Another quickie whilst your about, when putting access lists on dialers,

would this give the same result?

global config..
dialer-list 1 protocol ip list 101

interface bri 0
ip access-group 101


?

Thanks,
steven
 
Steven,
what you should do is not use the dialer-list command and just apply the access-list 101 directly to the BRI interface as follows;

access-list 101 deny tcp any any eq www
access-list 101 permit ip any any

int bri 0
ip access-group 101

If you really want to use the dialer-list command you'll have to set up a dialer interface first and then tie it to the BRI interface. This is what that would look like;



access-list 101 deny tcp any any eq www
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101

interface bri 0
dialer pool-memeber 10 <<ties the physical interface to the dialer interface

int dialer 1
dialer pool 10 << ties dialer int to bri 0
dialer-group 1 << applies dialer-list 1 to this int

Be careful with the aul' access lists they tend to catch people out alot.
Slán
Paul



Paul Kilcoyne B eng. CCNA
 
Also remember that if a user is running through a proxy you won't stop him or her if the proxy is not running port 80.
Just a thought.

Jan
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top