Access-list block range of hosts

cisco 2600 router with wic1-adsl card
I'm having difficulty creating an access-list that will block a range of specified internet ip's but allow evrything else. Google finds loads of acl's showing how to permit a range but nothing about how to deny.
In the past I've been able to deny a host using:
access-list 105 deny   ip any host A.B.C.D. but that only blocks one host and not a range (unless you have loads of entries)
My reason for this is to block baiduspider.com from accessing my server. Baidu uses a large range of ip's but so far they're confined to 123.125.*.*, 61.135.*.* and 220.181.*.*
I tried:
access-list 10 deny   123.125.0.0 0.0.0.255
access-list 10 deny   220.181.0.0 0.0.0.255
access-list 10 deny   61.135.0.0 0.0.0.255
access-list 10 permit any
all web traffic comes via the adsl-wic card in the router so I put:
ip access-group 10 out
into the dialer0 config but this didn't work.
thanks for any help.

it looks like I've done it. I was using the wrong subnet mask.
I changed the access list to:
access-list 10 deny A.B.0.0 0.0.255.255 and from that moment baidu disappeared from the web log.

Similar Messages

Access-list port range question

Hi,
I would like to clarify the exact operation of the below command:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
ip access-list extended VoiceACL
permit udp any any range 16384 16387
Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Value1] = starting port number
[Value2] + [Value1] = end port number
Thanks
Nachi

Hi Nachi,
This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
Regards,
Raphael

Nexus1000v : ip access-list with port range

Hi,
I am configuring ip access-list policy with port range on Nexus1000v. I want to block traffic of a VM based on specific port or port range. Following is the example showing, blocking of rdp service (port - 3389) of vm x.x.x.x. But the scipt blocks all traffic of x.x.x.x.
Can any body verify the scirpt and tell whats the problem with the script?
vm x.x.x.x is on Veth2
config t
ip access-list Veth2_rc_vmfw_acl_in
deny tcp any host x.x.x.x eq 3389
exit
ip access-list Veth2_rc_vmfw_acl_out
deny tcp host x.x.x.x any eq 3389
exit
interface Veth2
ip port access-group Veth2_rc_vmfw_acl_in in
ip port access-group Veth2_rc_vmfw_acl_out out
exit
exit
Thanks

License? Check Data Features

MAC access-list on switching platforms

Please advise if I am in the worng group, and I'll move the post.
I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
Here is the link I am looking at:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.

Access Lists

Hi,
I have two routers R1 and R2 with FastEthernet Interface IP address (F0/0)10.1.0.1 and
(F0/0)10.1.0.2 respectively. I am using HSRP and R1 is active and R2 is in standby state.
Whats happening is when I am applying ACLs in R1 on F0/0 I cannot telnet to R2 but if I remove these ACLs I can telent to R2 from R1.
Can someone please help me with this. Since they are on same segment so my understanding is that I can telnet to R2 from R1 even after applying ACLs.
Thanks

Hi Jason,
Please find below the config of R1
interface FastEthernet0/0
ip address 10.1.0.1 255.255.255.0
ip access-group 101 in
ip access-group 102 out
speed auto
standby 1 ip 10.1.0.254
standby 1 preempt
access-list 101 permit tcp host 10.1.0.1 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.2 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.3 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.4 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.5 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.6 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.7 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.8 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.9 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp 10.1.0.0 0.0.0.255 host 192.168.1.190
access-list 101 permit tcp 10.1.0.0 0.0.0.255 host 192.168.8.22
access-list 101 permit udp 10.1.0.0 0.0.0.255 eq snmp host 192.168.8.22
access-list 101 permit udp 10.1.0.0 0.0.0.255 host 192.168.8.22 eq snmp
access-list 101 permit udp 10.1.0.0 0.0.0.255 host 192.168.8.22 eq snmptrap
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.1
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.2
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.3
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.4
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.5
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.6
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.7
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.8
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.9
access-list 102 permit tcp host 192.168.1.190 10.1.0.0 0.0.0.255
access-list 102 permit udp host 192.168.8.22 eq snmptrap 10.1.0.0 0.0.0.255
access-list 102 permit udp host 192.168.8.22 eq snmp 10.1.0.0 0.0.0.255
access-list 102 permit udp host 192.168.8.22 10.1.0.0 0.0.0.255 eq snmp

LMS 4.2 Compliance check extended access-list

Hi,
I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
I have made a new compliance check like this:
'submode': ip access-list extended 'acl-name'
+deny tcp any any eq smtp
But that is not working, Can some one show me the 'right path'?
Thanks
Soren

Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. **

Failed Extended Access-list

Hello all,
I am trying to apply this extended access-list to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
Interface Dialer 0
ip access-group 101 out

Here is the complete configuration.
Router#sh run
Building configuration...
Current configuration : 3665 bytes
! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no aaa new-model
crypto pki token default removal timeout 0
ip source-route
ip cef
no ipv6 cef
license udi pid C887VA-W-E-K9 sn FCZ1624C30K
username admin privilege 15 password 7 045A0F0B062F
controller VDSL 0
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
interface Loopback0
ip address 10.10.10.1 255.255.255.255
interface Tunnel4120
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile protect-gre
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
no fair-queue
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxx
ppp chap password 7 03077313552D0F411E512D
router rip
version 2
network 10.0.0.0
network 192.168.111.0
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.111.30
access-list 10 permit 192.168.111.0 0.0.0.255
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 10 in
login local
transport input all
scheduler allocate 20000 1000
end
Router#

Help with an access list please

Hi guys, i have an access list applied inbound to an interface on a router at the edge of our LAN.Our LAN subnet is 10.10.x.x and the incoming subnet is 10.13.x.x both with a 16 bit mask. The ACL is applied inbound to the interface that the the 10.13.x.x subnet come in on. I want to only allow them to go to our internal webserver to run a corporate web app, resolve dns for this web server with our dns servers, and have full access to a server on the other side of our WAN for another 32 bit app they are running. Here is my ACL:(you will notice i have also configured a single ip full access in for us to use when we are on site)
access-list 101 permit ip 10.10.0.0 0.0.255.255 any
access-list 101 permit ip host 10.13.1.254 any
access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
access-list 101 permit ip 10.13.0.0 0.0.255.255 host 192.168.9.1
access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.24 eq www
access-list 101 deny ip 10.13.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 10.13.0.0 0.0.255.255 172.16.100.0 0.0.0.255
access-list 101 deny ip any any
From the 10.13.x.x network this works like a charm but here is the key: i want to be able to remote admin their machines but cant. Even though the ACL is applied inbound only i cant get to their subnet, even with the first permit statement i still cant get to their subnet. I am assuming its allowing me in but the problem is lying with the return traffic. Is their a way for me to deny them access as in the list but for me to remote their subnet?
Any help you could offer would be appreciated.

I agree with you that the first line in the access list is incorrect. Coming in that interface the source address should never be 10.10.0.0. But if he follows your first suggestion then any IP packet from 10.13.anything to anything will be permitted and none of the other statements in the access list will have any effect.
And I have a serious issue with what he appears to suggest which is that he will take his laptop (with a 10.10.x.x address), connect it into a remote subnet, and expect it to work. Unless he has IP mobility configured, he may be able to send packets out, but responses to 10.10.x.x will be sent to the 10.10.0.0 subnet and will not get to his laptop. He needs to rething this logic.
I do agree with your second suggestion that:
access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255
should allow the remote administration to work (assuming that 5900 is the correct port and assuming that it uses tcp not udp).
HTH
Rick

Configuring Access List

I have the following configuration in the msfc of a catalyst 6509:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
In the subnet 172.23.8.0/22 I have the server 172.23.11.3 and in the subnet 172.23.60.0/24 I have meters of electricity.
I have the following request: The hosts active of the subnet 172.23.60.0/24 alone should have access to server 172.23.11.3, and alone the server 172.23.11.3 should have access to the hosts active of the network 172.23.60.0/24.
I think to carry out the following configuration:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
ip access-group 103 in
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
access-list 103 permit ip host 172.23.60.2 host 172.23.11.3
access-list 103 permit ip host 172.23.60.3 host 172.23.11.3
access-list 103 permit ip host 172.23.60.4 host 172.23.11.3
access-list 103 permit ip host 172.23.60.5 host 172.23.11.3
access-list 103 permit ip host 172.23.60.6 host 172.23.11.3
access-list 103 permit ip host 172.23.60.7 host 172.23.11.3
access-list 103 permit ip host 172.23.60.8 host 172.23.11.3
access-list 103 permit ip host 172.23.60.9 host 172.23.11.3
access-list 103 permit ip host 172.23.60.10 host 172.23.11.3
access-list 103 permit ip host 172.23.60.11 host 172.23.11.3
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.255
access-list 103 deny any any
Is correct?
Some recomendation?

I don't believe your source/destination address logic matches your access-group 3 in statement. Your configuration states inbound traffic on interface VLAN 5 sourced as 172.23.60.x destined for 172.23.11.3 is allowed. Using Leo's recommendations I suggest you reverse source and destination address.
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.15
Interface Vlan5
ip access-group 3 in
HTH,
Ryan

Applying access-list to 2950 ethernet port

When applying the following accesslist to port 22 on my 2950 I get the following message:
access-list 101 permit tcp host 192.168.31.250 any eq www
access-list 101 permit tcp host 192.168.31.250 any eq 443
access-list 101 permit tcp host 192.168.31.250 any eq domain
access-list 101 permit tcp host 192.168.31.250 any established
access-list 101 deny ip any any
crete-sw01(config-if)#ip access-group 101 in
%Error: Access-list with 'TCP flags' keyword is not supported on Ethernet Interf
ace.
Please refer to the Software Configuration Guide for all the supported keywords
Is it possible to get around this?

Hello Andy,
my mistake, it looks like the 2950 does not accept the ´established´ keyword...
I guess you need to apply the access list inbound to the Ethernet interface on your router.
Cisco 2950 Switches
Configuring Network Security with ACLs
Unsupported Features
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swacl.htm#wp1043901
Regards,
GP

Access list to permit outbound VPN?

We have the following ACL assigned to WAN port of our Cisco 831:
access-list 111 permit tcp any any established
access-list 111 permit tcp host [*remote private ip snipped*] any eq telnet
access-list 111 permit esp any any
access-list 111 permit ahp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit gre any any
access-list 111 permit udp any eq isakmp any
access-list 111 permit udp any eq non500-isakmp any
access-list 111 permit udp any eq domain any
access-list 111 permit udp any eq 21068 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 3390
access-list 111 permit tcp any any eq 143
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq pop3
access-list 111 deny ip any any
Should that allow a host on the LAN to access a remote VPN connection (using Cisco VPN client)? Is anything else needed?
Router is running 12.3(8), already supporting inbound Cisco client connections and one remote LAN-to-LAN VPN.

i have a few questions:
Are you sure that this is outbound, and not inbound on the WAN interface?
The thing that needs to be identified, is which flavor of IPSEC you are uing in the client. Standard IPSEC and IPSEC over UDP do not work well unless they have a 1 for NAT translation. IPSEC over TCP usually works if you are doing PAT'ing of some sort. If the VPN device on the other end can support IPSEC of TCP (COncentrator or PIX/ASA running 7.x) then set the client to use IPSEC over TCP.

How to specify target host in Access-list on 1700 router

I want to be able to specify the target host on an access list and when I try to enter the IP and sub-net mask I get wierd result. This is on a 1700 router. I type: access-list 100 permit tcp any XXX.XXX.XXX.XXX 255.255.255.248 eq smtp where XXX.XXX.XXX.XXX is a public IP of a virtual email server on my inside.
I get:
access-list 100 permit tcp any 0.0.0.2 255.255.255.248 eq smtp
Why does XXX.XXX.XXX.XXX get interpreted as 0.0.0.2?
Thanks,
Dave

Dave,
The address got converted to 0.0.0.2 because you used a subnet mask (255.255.255.248) where you should have used a wildcard mask (0.0.0.7).
Regardless of what the network portion of the address was, when the router sees "255" in any position in the wildcard mask, it interprets that as "it really doesn't matter what number is in this part of the IP address". So it corrects your notation and replaces that part of the IP address with the placeholder "0".
The fact that it put a ".2" at the end of the address indicates that the binary pattern of whatever XXX.XXX.XXX.XXX was ended in "010". The last octet was one of the numbers in this sequence: .2, .10, .18, ... (increments of 8), .114, or .122. The "248" in the last part of your wildcard mask told the router "it doesn't matter what number's here, as long as the last three binary bits match". The router just simplified the last .XXX you entered to the smallest number that had a matching binary pattern; in this case it was ".2".
Something to remember: Use subnet masks for static routes and interface addressing; and wildcard masks for ACLs.
The easiest way to calculate the wildcard mask you want, if you're used to seeing things in subnet mask format, is to subtract the subnet mask from 255.255.255.255. For example:
255.255.255.255
-255.255.255.248 (subnet mask)
0.0.0.7 (wildcard mask)
If you want to specify a single host address rather than a masked range of addresses, use the notation "host XXX.XXX.XXX.XXX". If you use the notation "XXX.XXX.XXX.XXX 0.0.0.0" where 0.0.0.0 is the wildcard mask, the router will convert it to "host XXX.XXX.XXX.XXX". (Go ahead, try it and see.)
Similarly, if you want to specify all host addresses, use "any" as you have already done; or you can try "0.0.0.0 255.255.255.255" and the router will convert it to "any" for you. (Try this one too.)
Check out the useful IP Subnet Calculator download at http://www.Boson.com -- it's free:
Wildcard Mask Checker & Decimal-to-IP Calculator
a neat little utility to check what your wildcard mask actually matches, and, converts from Decimal to IP address format.
http://www.boson.com/promo/utilities.htm
Hope this helps.

Router NAT IP block using Access List

Hi All
Strange issue we have here. First time I've come across this.
Question: Is it possible to use an access-list on a NAT IP address on a Cisco router? For example, say we have our internal mail server 192.168.1.5 and it's NATed to the outside on port 25 say to 222.1.1.5. Is there a way to apply an access list to this external IP so that only certain outside users can get to this server using port 25??
Thanks all!

Anyone?

ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?

Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword.

Access list issues

Hello,
There has been an access list in place where I work since well before I arrived and it doesn't quite work. I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches. It is also used to help in the baselining of pcs.
The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive. This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it. I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
Here is access list:
ip access-list extended Quarantine_IN_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit upd any any eq domain
permit tcp any eq 3389 any
permit ip any host x.x.x.x (baseline server)
permit ip any host x.x.x.x (share drive)
permit ip any host x.x.x.x (domain controller)
permit ip any host x.x.x.x (domain controller)
ip access-list extended Quarantine_Out_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any an any eq domain
permit tcp any any eq 3389
permit ip host (baseline server) any
permit ip host (share drive) any
permit ip host (domain controller) any
permit ip host (domain controller) any
As I said, I tried changing the permit ip host (baseline server) any and ip any host (baseline server) to permit tcp statements. That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements. That also didn't work.
Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
Thanks,
Kiley

Paul,
When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL. I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume. The ACL is applied to the L3 interface for baselining:
int vlan 500
description BASELINE VLAN
ip addres x.x.x.x x.x.x.x
ip access-group Quarantine_IN_L1 in
ip access-group Quarantine_Out_L1 out
ip helper-address x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
Thanks,
Kiley

Access-list block range of hosts

Similar Messages

Maybe you are looking for