cisco 2651XM router IOS: c2600-adventerprisek9-mz.124-15.T8.bin
I know that to block an ip address it's: access-list deny ip any host
and then on the ouside interface it's: ip access-group out
this works for blocking my access to but would this config stop an outside hacker at from getting in?
Yes and no. Yes because the return traffic would not be allowed, but the proper way to address this is to configure an access-list that filters on source IP address, and apply it 'IN' on the external interface (not out). That way, when traffic arrives on that interface from the blocked IP address, it will be discarded and will never enter your network.
Yes and no. Yes because the return traffic would not be allowed, but the proper way to address this is to configure an access-list that filters on source IP address, and apply it 'IN' on the external interface (not out). That way, when traffic arrives on that interface from the blocked IP address, it will be discarded and will never enter your network.
--------------------
thanks for your feedback trendk. I've included: ip access-group in on my outside interface now as well.
You cannot use the same access-group for output and input because all rules need to be reversed.
Right, I don't have a router handy at this moment, but for the 'IN' rule, it should be 'deny ip host any', whereas for an 'OUT' ACL, it will be deny ip any host . Again, I might be slightly off on syntax, but '?' will help you through the process....
Right, I don't have a router handy at this moment, but for the 'IN' rule, it should be 'deny ip host any', whereas for an 'OUT' ACL, it will be deny ip any host . Again, I might be slightly off on syntax, but '?' will help you through the process....
-------------------
oh no you're kidding me. niave of me to think this would be straightforward.
Yes, ACLs are not the most straightforward, but you'll get the hang quickly. Just have to think of interfaces as 2 individual 1-way pipes. When you apply an ACL on the IN pipe, you must filter by source address from the external world or destination address inside your network. When you apply an ACL on the OUT pipe, you must do the opposite since the source is now inside and the destination is now outside. The general rule of thumb is to filter at the closest interface (IN in this case). This will definitely get more complicated when you are dealing with ACLs inside your own network (vlan interfaces on the same router as an example), as the 'outside' and 'inside' become blurred. But still the same premise...understand traffic flow (originator/source vs. acceptor/destination, and how they flip-flop on return traffic), and then think of it in terms of the two pipes.
.
Well it is straightforward. In the sense that a red traffic light means stop and a green one means proceed with caution. If someone was to approach that problem with the view - well that's too tough, just tell me what to do if I see a light - then of course there is no satisfactory solution.
Have a look at the information already provided, read the documentation and please ask questions of you are having problems.
:-)
This was the top hit of a search on
There are two "manuals". The Configuration Guide and the Command Reference. The currrent software release is 12.4.
It is as tough as you want to to be.
Have fun.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.