4 Replies Latest reply on Jun 13, 2013 1:51 PM by yage

    Block ACL Issues

    yage New Member

      Hi -

       

      I am trying to block some users from connecting to a TeamSpeak server.  I have created an ACL in the private policy class and tired everything from blocking the IP outright, to blocking all the teamspeak ports.  I have placed this rule above everything else in the private class, and used policy action discard.  It would appear no matter what I try I cannot prevent users from connecting.  What am I missing?

       

      Teamspeak Host: xx.78.241.230

       

      Extended IP access list web-acl-70

          remark TeamSpeak

         deny   ip any  host xx.78.241.230    log (5 matches)

         deny   udp any  any eq 8766   log (0 matches)

         deny   udp any  any eq 8767   log (0 matches)

       

      Thanks

       

      Message was edited by: noor Removed public IP information

        • Re: Block ACL Issues
          Employee

          yage - Thanks for posting your question on the forum!

           

          Could you reply to this post with the configuration for us to review?  Please remember to remove any sensitive information. There are several ways to configure this, but it would be easier to explain within the context of your configuration if we could take a look.

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor

            • Re: Block ACL Issues
              yage New Member

              Hey Noor -

               

              Sure, please see the attached 4430.conf.

                • Re: Block ACL Issues
                  Employee

                  yage - I noticed that in the access-policy, the statement is this:

                   

                  ip policy-class Private

                    discard list web-acl-70

                    allow list self self

                    nat source list wizard-ics interface gigabit-ethernet 0/1 overload

                   

                  Since you are using the "discard" action, your ACL will need to be configured so that the hosts that you want to allow to connect to the TeamSpeak server are 'denied', while the users you want to block are 'permitted'. I realize this sounds counterintuitive, but since you used the "discard" action, the router will take that action on traffic "permitted" by the ACL you referenced. For example, if you only wanted host 192.168.1.1 to access the Teamspeak server from the LAN, then your ACL would look like such:

                   

                  ip access-list extended web-acl-70

                       deny ip host 192.168.1.1 host xx.78.241.230

                      permit ip any host xx.78.241.230

                   

                  This would allow 192.168.1.1 to access the server but block all other users from accessing that IP.

                   

                  I hope that answers your question but please do not hesitate to let us know if you have any further questions.

                   

                  Thanks,

                  Noor

                    • Re: Block ACL Issues
                      yage New Member

                      Thanks Noor - that did the trick.

                       

                      It makes sense; if I used policy action allow I would then deny ip any host xx.78.241.230.

                       

                      I marked your answer as Correct

                       

                       

                      Regards,

                      -Yage