Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

blocking web traffic

Status
Not open for further replies.
mojo2002

mojo2002

Technical User
Dec 2, 2002
27
GB
We operate a central POP router with 50+ remote sites using mainly ISDN and serial.

I wish to block web traffic over these lines to stop users accessing the internet over there local browser.

I previously tried the following:

access-list 101 deny tcp any any eq www

This resulted in the interface blocking all traffic? I would have thought it would just block traffic using port 80?


I am about to try this tonight, 40.10 is our proxy server.
access-list 101 deny tcp any 192.168.40.10 0.0.0.0 eq ftp eq ftp-data

Will the above block all web ftp and ftp traffic?

Thanks,
steven
 
Sort by date Sort by votes
Did you forget the Implicit Deny at the end of any access list? You will need to add a access-list 101 permit ip any any so it will not block all other traffic....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Crash, bang, wallop...

Thanks for that, simple things confuse simple minds.
 
Upvote 0 Downvote
Another quickie whilst your about, when putting access lists on dialers,

would this give the same result?

global config..
dialer-list 1 protocol ip list 101

interface bri 0
ip access-group 101


?

Thanks,
steven
 
Upvote 0 Downvote
Steven,
what you should do is not use the dialer-list command and just apply the access-list 101 directly to the BRI interface as follows;

access-list 101 deny tcp any any eq www
access-list 101 permit ip any any

int bri 0
ip access-group 101

If you really want to use the dialer-list command you'll have to set up a dialer interface first and then tie it to the BRI interface. This is what that would look like;



access-list 101 deny tcp any any eq www
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101

interface bri 0
dialer pool-memeber 10 <<ties the physical interface to the dialer interface

int dialer 1
dialer pool 10 << ties dialer int to bri 0
dialer-group 1 << applies dialer-list 1 to this int

Be careful with the aul' access lists they tend to catch people out alot.
Slán
Paul



Paul Kilcoyne B eng. CCNA
 
Upvote 0 Downvote
Also remember that if a user is running through a proxy you won't stop him or her if the proxy is not running port 80.
Just a thought.

Jan
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
178
bdk76
bdk76
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto
steel_bender
  • Locked
  • Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
109
Mogles49
Mogles49
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
74
acabezas2014
acabezas2014
rejackson
  • Locked
  • Question
Traffic shaping - how much memory is required
Replies
0
Views
53
rejackson
rejackson

Part and Inventory Search

Sponsor

Back
Top