How can I block specific web sites from being viewed. I am using a
4500m router between my internal network and the internet. I have tried using ACL's but can't seem to get them to work correctly. Any help will be greatly appreciated.Hi,
I have done this on PIX.
Use following commands: access-list outbound deny tcp any host 203.199.76.46 eq www ((with this access-list you can deny any tcp packet from inside to access the website hosted on 203.199.76.46 at port www(80)))
access-group outbound in interface inside ((then apply this access-rule in interface inside))
Hope this will work.
Chetan
CK-NET
"people says i am wrong,what can i say blood says itself B+"
Does not seem to work. I have applied as you suggested but it blocks all www traffic.
You will need to add a permit any statement below the deny statement.
If this doesn't work port a sanitised config.
-Wil
NextLevel wrote:
Hi,
You have to give command : access-list outbound permit ip any any in the end of the accesslist
Try this waitnig for response
CK-NET
I'll give that a try this evening, Thanks for the help. I am still learning the Access-List features of CISCO IOS. It will sink in eventually !
NETADM> Hi,
One more question, say I want to block a range of address. Can I just place say 203.216.30.0 to block 203.216.30.1 through 255 ?
For blocking range of addresses you have to give following command:
access-list outbound deny tcp any host 203.216.30.0 255.255.255.0 eq www
Hope this will work.
Do tell us if this help
CK-NET "B+"
The OP indicated that the equipment is a 4500 series with IOS. The above ACL would work on a PIX but not under IOS:
a) IOS only allows named access lists in the extended format that puts the individual entries on the lines below -without- the 'access-list' prefix;
b) Under IOS, wildcard bits are used instead of selection bits.
c) 'host' and a netmask cannot be used together for the same item.
Thus the appropriate entry would look something like
access-list 101 deny tcp any 203.216.30.0 0.0.0.255 eq www
Thanks Walter for correcting me.
Its true that my given access-list will work on PIX and the accesslist given by you will work with 4500m with IOS.
I checked it.
CK-NET
Not quite. You had
access-list outbound deny tcp any host 203.216.30.0 255.255.255.0 eq www
which will not work on the PIX because of the extra 'host' keyword.
Thanks gentlemen.....I figured for the router I would use the extended ACL. I think the only thing I forgot was the permit any any at the end of the ACL list. I will try this when I get home this evening and post the result. Again, thank you both
Walter Robers> > >Thanks Walter for correcting me.
Ok, this is what I have in the config:
interface Ethernet2 ip address 192.168.1.1 255.255.255.0 ip access-group 101 out ip nat inside no ip mroute-cache media-type auto-select
access-list 101 deny tcp any 63.208.226.0 0.0.0.255 eq www access-list 101 permit ip any any
It is still allowing all packets to pass. I an not sure what I am doing wrong but I need to figure this out. Like I mentioned before, I am still learning ACL's so please bear with me on this. So far you guys have been a great help. Please keep it coming....
This is the inside interface, you should apply it as "in" instead of "out". Or better yet, apply the ACL to the outside interface as "out".
Keep in mind that all traffic exiting this interface will be on the
192.168.1.X subnet.-Wil
NextLevel wrote:
That did the trick. I do not know hwy I was applying the ACL out to the inside interface. Well, I learned a lot from you all. Thank you very much.
Wil wrote:
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.