extended access lists

[CCNEH]

Hi this is the config I'm using to try and restrict remote users perusing the net without authenticating first.

interface FastEthernet0
ip address 192.168.4.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
speed auto
no cdp enable

access-list 101 deny tcp any any eq 8080
access-list 101 deny udp any any range netbios-ns netbios-ss
access-list 101 deny tcp any any range 137 139
access-list 101 permit ip any any

However, it doesn't work.

Can anyone help?

Thanks,
steven

 

[ChrisAC]

More information please? What 'remote users'? Internet users? Users via a WAN connection? What's on FastEthernet0? What are you trying to deny?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[CCNEH]

Any remote users trying to connect to the proxy server at the main site to gain internet access rather than logging in through citrix.

Users via various links, Les, serial, isdn.

I'm trying to stop internet access by opening internet explorer and browsing locally from there machien rather than logging into a citrix server first.

Thanks,
steven

 

[gaveeve]

Steven, I think you want to authenticate your users with cisco authentication which can use tacacs or a radius server(don't know whether your citrix server will conform). I don't believe the access list is going to do it. Here is a good link to start

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm