Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Creating my first access list - please assist 2

Status
Not open for further replies.
michigan

michigan

IS-IT--Management
Jul 3, 2001
281
For some of you, this will be a breeze.

Recently, my logs started growing rapidly from failed attempts on one of my servers. I have the IP address(es) that I would like to block from my network.

I understand I can create different types of access lists, but really don't have a clue how to do so.

I have about 6 addresses I would like to block. Any assistance would be greatly appreciated. Thank you.
 
Sort by date Sort by votes
assuming you want to block ip traffic, a simple standard access list will allow you to block the source addresses to your network.

first create the access list, in global config mode

router# access-list 10 deny <source address>
..
..
..
do this for all the hosts you want to block

then negate the implied deny all to allow other users access

router# access-list 10 permit any any

then apply the access list to the interface where the sources are coming from and block them coming in.

router(config-if)# ip access-group 10 in

NB: remember access lists are order dependent - in the order you type them.

Good luck,
Phil. If everything is coming your way then you're in the wrong lane.
 
Upvote 0 Downvote
Thank you for the prompt reply Phil.

I will give the above a try, and let ya know the outcome.
 
Upvote 0 Downvote
Yizhar,

Thanks for the advice on the other post. It looks like this is answering most of my questions here. I just have a few more if anyone can help.

#1: How do I get to the global config mode ?

#2: How do I remove previously added IP deny lines

#3: How do I deny IP groups (for instance 65.10.x.x)

My router will be primarily DENYING IP addresses and groups while allowing all others. You've seen my config at the top so I already have a list created for incoming traffic.

Any help would be appreciated.

TW
 
Upvote 0 Downvote
OK, first get to enable mode,

router> enable
password: *****

router#

then configure from terminal

router# configure terminal
router(config)#

thats global config mode.

To amend access lists is a tricky affair. As I said above, the order you enter an access list decides how the access list operates. I find it best when amending an access list to scrap copy the original somewhere, then scrap it and start again.

It is a good idea to first take a copy of the config you have to a tftp server.

Then remove the access list

router(config)# no access-list 10

this will remove all the entries for access list number 10.

then add the access-list back as you want it (remembering the implied &quot;deny all&quot; rule).


By using network masks and extended access lists you can block ranges of IP addresses from entering your network.
For your example...
router(config)#access-list 101 deny ip 65.10.0.0 0.0.255.255 any

there is plenty of information on Cisco website (and others) giving examples of standard and extended access lists.

Have fun...
Phil. If everything is coming your way then you're in the wrong lane.
 
Upvote 0 Downvote
OK, That's great information. I really appreciate it and the link to the Cisco site is very helpful information. If you can spare a few more moments, I have a few more questions that are probably easy for you and hopefully you can breeze right through them. If I've opened a can of worms here, just let me know and I'll back off.


#1: In your first example to michigan you provided the following line to deny a single IP.

access-list 10 deny <source address>

In your example to me to block a range of addresses you provided this line.

access-list 101 deny ip 65.10.0.0 0.0.255.255 any

I just want to make sure that, for these two examples, the any parameter and the ip parameter only applies to a range of addresses or does it apply, or work with both examples ?


#2: From your helpful tips, my understanding of the order dependancy is that when a request meets the parameters of one of the deny commands, that the request is immediately denied and the list stops processing, so to speak. Please correct me if I'm wrong there.


#3: With all that in mind, take a look at the relevant portion of my current config.

Current config (partial)

!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip access-group 110 out
ip nat inside
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 110 deny tcp any any range 137 139
access-list 110 permit ip any any
!


Proposed NEW config. Changes are BOLD

!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip access-group 110 out
ip access-group 120 in
ip nat inside
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 110 deny tcp any any range 137 139
access-list 110 permit ip any any
access-list 120 deny ip 65.10.0.0 0.0.255.255 any
access-list 120 permit ip any any
!


Do you see any problems there ??

#4: If all looks good above, I have a question regarding denying IP ranges on incoming traffic. Does the above example apply to ALL traffic. Including web pages that are returned to my browser when I'm just browsing the internet? If so, no need to go down that road. I can just do a little extra work on the list and deny single IP's.

#5: Of course, I'm bound to make a mistake during configuration. Currently, the only command that I know to save a configuration is..
copy running-config startup-config
which I have used several times in the past. While I am doing configuration, will the show run command show me my changes. And if I don't like them, how can I undo changes before saving and see the original config with the show run command?

Well, that's more than a few questions and I certainly appreciate any input you can provide. I think I'm getting the hang of it.. I promise to read up on the Cisco TAC page that you linked me to.

Thanks again in advance.

TW

 
Upvote 0 Downvote
OK,

#1
There are two types of access list - standard and extended. My first was a standard acl, the second an example of an extended access list. Standard acls will control access to/from an ip address or range, extended access lists control access in a more exact way, controlling which protocols / ports / destinations... the list goes on.
You can specify a standard acl to bar a range of ip addresses:-
router(config)# access-list 10 deny 65.10.0.0 0.0.255.255

#2 You're dead right!

#3 your proposed config looks fine, blocking the 65.10's coming in, allowing everything but p137/139 out. No problems there. (although it is sometimes useful to include comments in your config to describe why a particular acl is in the config, e.g. access-list 120 remark Dont allow servers from 65.10 in)

#4 the ACL is denying IP packets from a source. Web pages are essentially in IP packets so they will be denied. You could include a permit statement before the deny to allow http traffic.

#5 to undo commands / remove them from running config precede the command with 'no'. Also to return to the startup config state, if you can just restart the router without saving the running config.

When trying out new commands use '?' a lot. It will tell you what the IOS is expecting you to type next, gives you a good idea of the options acvailable to you.

Good Luck.
Phil.
If everything is coming your way then you're in the wrong lane.
 
Upvote 0 Downvote
Phil,

Thank you very much. I'm sure you know how much time and headache that saved me.

ToddWW
 
Upvote 0 Downvote
Ok - call me retarded. . . but I still don't get it. I almost got it, then ToddWW got all deep on my thread (jk!)
:)

I should have admitted up front, on a scale of 1 - 10 I know about a 2!

I don't know about global router settings. I don't know about most of the settings you listed or talked about. So please, bare with me.

I can get the my router prompt. I checked, and I have one access list (10) running.
I keep getting hit by 205.184.163.XXX where XXX are multiple last octets are hitting me. So I wanta block all of'em!
What is my next step?

Thanks again for your patience and assitance!!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

hairyprogrammer1
  • Locked
  • Question
What is my Speed...?
Replies
1
Views
129
iggsterman
iggsterman
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
137
dmourghen
dmourghen
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
511
CDIV
CDIV
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
731
iggsterman
iggsterman
hyppo
  • Locked
  • Question
help connecting to my cisco 2800
Replies
2
Views
151
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top