Re: blocking an ip address

Discussion in 'Cisco' started by Trendkill, Jul 12, 2009.

  1. Trendkill

    Trendkill Guest

    On Jul 12, 10:29 am, "tg" <> wrote:
    > cisco 2651XM router
    > IOS: c2600-adventerprisek9-mz.124-15.T8.bin
    >
    > I know that to block an ip address it's:
    > access-list <number> deny ip any host <blo.ck.ed.ip>
    >
    > and then on the ouside interface it's:
    > ip access-group <number> out
    >
    > this works for blocking my access to <blo.ck.ed.ip> but would this config
    > stop an outside hacker at <blo.ck.ed.ip> from getting in?


    Yes and no. Yes because the return traffic would not be allowed, but
    the proper way to address this is to configure an access-list that
    filters on source IP address, and apply it 'IN' on the external
    interface (not out). That way, when traffic arrives on that interface
    from the blocked IP address, it will be discarded and will never enter
    your network.
     
    Trendkill, Jul 12, 2009
    #1
    1. Advertising

  2. Trendkill

    Rob Guest

    tg <> wrote:
    > thanks for your feedback trendk. I've included:
    > ip access-group <number> in
    > on my outside interface now as well.


    You cannot use the same access-group for output and input because
    all rules need to be reversed.
     
    Rob, Jul 12, 2009
    #2
    1. Advertising

  3. Trendkill

    Trendkill Guest

    On Jul 12, 1:26 pm, Rob <> wrote:
    > tg <> wrote:
    > > thanks for your feedback trendk. I've included:
    > > ip access-group <number> in
    > > on my outside interface now as well.

    >
    > You cannot use the same access-group for output and input because
    > all rules need to be reversed.


    Right, I don't have a router handy at this moment, but for the 'IN'
    rule, it should be 'deny ip host <a.b.c.d> any', whereas for an 'OUT'
    ACL, it will be deny ip any host <a.b.c.d>. Again, I might be
    slightly off on syntax, but '?' will help you through the process....
     
    Trendkill, Jul 12, 2009
    #3
  4. Trendkill

    Trendkill Guest

    On Jul 12, 3:55 pm, "tg" <> wrote:
    > "Trendkill" <> wrote in message
    >
    > news:...
    > On Jul 12, 1:26 pm, Rob <> wrote:
    >
    > > tg <> wrote:
    > > > thanks for your feedback trendk. I've included:
    > > > ip access-group <number> in
    > > > on my outside interface now as well.

    >
    > > You cannot use the same access-group for output and input because
    > > all rules need to be reversed.

    >
    > Right, I don't have a router handy at this moment, but for the 'IN'
    > rule, it should be 'deny ip host <a.b.c.d> any', whereas for an 'OUT'
    > ACL, it will be deny ip any host <a.b.c.d>.  Again, I might be
    > slightly off on syntax, but '?' will help you through the process....
    > -------------------
    >
    > oh no you're kidding me.
    > niave of me to think this would be straightforward.


    Yes, ACLs are not the most straightforward, but you'll get the hang
    quickly. Just have to think of interfaces as 2 individual 1-way
    pipes. When you apply an ACL on the IN pipe, you must filter by
    source address from the external world or destination address inside
    your network. When you apply an ACL on the OUT pipe, you must do the
    opposite since the source is now inside and the destination is now
    outside. The general rule of thumb is to filter at the closest
    interface (IN in this case). This will definitely get more
    complicated when you are dealing with ACLs inside your own network
    (vlan interfaces on the same router as an example), as the 'outside'
    and 'inside' become blurred. But still the same premise...understand
    traffic flow (originator/source vs. acceptor/destination, and how they
    flip-flop on return traffic), and then think of it in terms of the two
    pipes.
     
    Trendkill, Jul 13, 2009
    #4
  5. Trendkill

    bod43 Guest

    On 13 July, 16:54, Trendkill <> wrote:
    > On Jul 12, 3:55 pm, "tg" <> wrote:
    >
    >
    >
    > > "Trendkill" <> wrote in message

    >
    > >news:....
    > > On Jul 12, 1:26 pm, Rob <> wrote:

    >
    > > > tg <> wrote:
    > > > > thanks for your feedback trendk. I've included:
    > > > > ip access-group <number> in
    > > > > on my outside interface now as well.

    >
    > > > You cannot use the same access-group for output and input because
    > > > all rules need to be reversed.

    >
    > > Right, I don't have a router handy at this moment, but for the 'IN'
    > > rule, it should be 'deny ip host <a.b.c.d> any', whereas for an 'OUT'
    > > ACL, it will be deny ip any host <a.b.c.d>.  Again, I might be
    > > slightly off on syntax, but '?' will help you through the process....
    > > -------------------

    >
    > > oh no you're kidding me.
    > > niave of me to think this would be straightforward.

    >
    > Yes, ACLs are not the most straightforward, but you'll get the hang
    > quickly.  Just have to think of interfaces as 2 individual 1-way


    Well it is straightforward. In the sense that a red traffic light
    means
    stop and a green one means proceed with caution. If someone was
    to approach that problem with the view - well that's too tough,
    just tell me what to do if I see a light - then of course there is
    no satisfactory solution.

    Have a look at the information already provided, read the
    documentation and please ask questions of you are having
    problems.

    :)

    http://www.cisco.com/en/US/docs/ios...ne_support_TSD_Island_of_Content_Chapter.html

    Looks like a decent place to start.

    This was the top hit of a search on www.cisco.com with
    [access-list configuration guide 12.4] in the search box.
    (without the [], obviously).

    There are two "manuals". The Configuration Guide and the Command
    Reference. The currrent software release is 12.4.

    It is as tough as you want to to be.

    Have fun.
     
    bod43, Jul 14, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pastor Dave

    BLOCKING AN EMAIL ADDRESS

    Pastor Dave, Oct 15, 2005, in forum: Firefox
    Replies:
    11
    Views:
    1,313
    dillinger
    Oct 21, 2005
  2. Jeff
    Replies:
    4
    Views:
    798
  3. DigitalVinyl

    Blocking a MAC address at the router

    DigitalVinyl, Nov 29, 2005, in forum: Cisco
    Replies:
    11
    Views:
    28,657
    ETLALAR
    Dec 1, 2005
  4. Project Test

    blocking email address

    Project Test, Dec 3, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    965
    °Mike°
    Dec 4, 2003
  5. Dhruv

    stealth-blocking, isp blocking website

    Dhruv, Oct 25, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    3,147
Loading...

Share This Page