Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ACL Help - 1721 - Restricting Indiv. IP's Outbound
- Thread starter jlancton
- Start date
access-list 151 permit ip host h.h.h.h x.x.x.x w.w.w.w
access-list 151 deny ip any any
On the interface:
access-group 151 in
Use your network address and wildcard mask for the x.x.x.x and w.w.w.w. Remember, you can deny by not permitting so in this case permitting traffic only to your network will deny traffic to the net.
HTH
access-list 151 deny ip any any
On the interface:
access-group 151 in
Use your network address and wildcard mask for the x.x.x.x and w.w.w.w. Remember, you can deny by not permitting so in this case permitting traffic only to your network will deny traffic to the net.
HTH
- Thread starter
- #3
Normally, yes. But if you want to block a specific IP, and you know that address won't change (it's a server, or the user can't change it), then I'd block it only. It's always a good idea to permit only your network outbound, though.
access-list 101 deny ip host x.x.x.x any
access-list 101 permit ip <lan_net> <lan_mask> any
access-list 101 deny ip any any
The "deny ip any any" is optional, but I like to include it as a reminder.
Depending upon your topology, it might more sense to apply this to the external i/f as an outbound ACL.
access-list 101 deny ip host x.x.x.x any
access-list 101 permit ip <lan_net> <lan_mask> any
access-list 101 deny ip any any
The "deny ip any any" is optional, but I like to include it as a reminder.
Depending upon your topology, it might more sense to apply this to the external i/f as an outbound ACL.
- Status
Similar threads
- Locked
- Helpful tip
- Locked
- Question