Need to block NAT users from accessing a web site

[tonyynot]

I have a Cisco 2600 router on a T1 with NAT. I need to block our users from accessing a web site. I have very little knowledge of Cisco commands. This is our current configuration: (I have removed some digits from the IPs)
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 12 permit 2.2.1.0 0.0.0.255
access-list 12 permit 2.1.1.32 0.0.0.15
access-list 12 permit 2.2.2.64 0.0.0.63
access-list 12 permit 2.1.6.0 0.0.0.255
access-list 12 deny any

Please give me step-by-step instructions on how to deny a range of IPs. (ie. How to modify and save the list properly.)

I assume I need to add:
access-list 12 deny tcp any xxx.xxx.xxx.xxx 0.0.0.0
access-list 12 permit tcp any any

Thanks.

 

[jgercken]

Oooh. Access lists are more than I can explain in a posting. Good news is there are LOTs of tutorials out there. A basic template is here.

http://img.cmpnet.com/nc/907/graphics/access.pdf

access-list 12 permit 2.2.1.0 0.0.0.255
access-list 12 permit 2.1.1.32 0.0.0.15
access-list 12 permit 2.2.2.64 0.0.0.63
access-list 12 permit 2.1.6.0 0.0.0.255
access-list 12 deny any

What it does
Allows any traffic (any protocol) to go to
2.2.1.0 255.255.255.0
2.1.1.32 255.255.255.240
2.2.2.64 255.255.255.192
2.1.6.0 255.255.255.0

Since you want to specify protocol and port (ip/tcp) you need to delete the current access-list and create an extended access-list using a number between 100 and 199.

If you don't want to spend a lot of time doing this you might try Cisco's free ConfigMaker software.

http://www.cisco.com/warp/public/cc/pd/nemnsw/cm/index.shtml

-Jeff ----------------------------------------
Wassabi Pop Tarts! Write Kellogs today!

 

[tonyynot]

J.G.

Thanks for the info. I appreciate the quick response. I should have explained my knowledge better. I am an NT Sys. Admin. for a web hosting company with 30 NATed users. I just started studying for my CCNA. I have done quite a bit of research on this, and I understand the access lists relatively well. I am not sure how to modify ours properly. I read through the CCNA books, but step-by-step on how to add my restrictions is what I don't understand. This is a production router. I can not afford to make a slight mistake in the syntax. Your app. may be of some help. I assume that it is like WEBMIN for Unix. Anything else you can think of, please let me know.

 

[wybnormal]

Configmaker doesnt do NAT- so that's out. You dont need to change the entire config, just the access list. So just delete the old list from the config and paste in the new one that you have ready in notepad.

jg is quite right about the wealth of resources about access lists. I have a java based tool that originally came from P. Welcher and company when MentorLabs were still around. I would post it but I'm not sure on the copyright any more. It gave a graphical way to make the list. Works ok.. could be better but I think they dropped the development a few years back. There may be others out there by now.

Ideally, you would ask for about 5 minutes of *official* outage to make your changes. THis way if the syntax gets hosed, you can recover.

If thats out, copy the config off the router and then beg, borrow or rent a couple of hours on a rack via the internet to test your new accesslist. Once you have the new access list working, use *cut and paste* on the production router to get the new code in place. Do the WHOLE list and while you are at it, make sure that the most common matches are listed first. An access list is like compiled code, it goes one line at a time and if the match is at the bottom, it can take a while. Dont forget the implied deny any at the end of all access lists.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[tonyynot]

Thanks to everyone for the help. I have been looking over Cisco's router GUI that was mentioned earlier. It is user friendly, but tells me that there are some unreadable config lines on our router. If I change the access list, it will also make it's own changes to the config. I am weary about making too many changes. Time to hand my problem over to a CCIE. I believe that our ISP can do the work for me - for a fee - of course. Take care.

 

[tonyynot]

Ok. Looks like I have to do this myself, so I'm back. Please help me out if you can. I know how to create an access list and apply it. I have a few questions: If I currently have access-lists 1 and 12 on the router, can I create extended access-list 101 and apply it also? Can they all run at the same time? For right now, I want to block user access to one web site. Please tell me the syntax for this extended list. I assume it should be only two lines - one to deny the site (by IP) - and one to allow everything else. Correct?

 

[wybnormal]

It's not so important to *how* many access lists you have as it is which interface it's applied to and if it's *inbound* or *outbound*

You can only have a single access list on the inbound ora single list outbound. So if you have access list 1 applied to E0 and it's outbound, you need to use those rules on the new access list 101 AND the new rules you want to use to block the web site. Then you need to edit the config to use access list 101 instead of 1 on the outbound.

Here is a good link that is somewhat tongue in cheek to how access lists work and how to make them.

http://www.routergod.com/donking/

MikeS


Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu