cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
yage
New Contributor II

Block ACL Issues

Jump to solution

Hi -

I am trying to block some users from connecting to a TeamSpeak server.  I have created an ACL in the private policy class and tired everything from blocking the IP outright, to blocking all the teamspeak ports.  I have placed this rule above everything else in the private class, and used policy action discard.  It would appear no matter what I try I cannot prevent users from connecting.  What am I missing?

Teamspeak Host: xx.78.241.230

Extended IP access list web-acl-70

    remark TeamSpeak

   deny   ip any  host xx.78.241.230    log (5 matches)

   deny   udp any  any eq 8766   log (0 matches)

   deny   udp any  any eq 8767   log (0 matches)

Thanks

Message was edited by: noor
Removed public IP information

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Block ACL Issues

Jump to solution

- I noticed that in the access-policy, the statement is this:

ip policy-class Private

  discard list web-acl-70

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/1 overload

Since you are using the "discard" action, your ACL will need to be configured so that the hosts that you want to allow to connect to the TeamSpeak server are 'denied', while the users you want to block are 'permitted'. I realize this sounds counterintuitive, but since you used the "discard" action, the router will take that action on traffic "permitted" by the ACL you referenced. For example, if you only wanted host 192.168.1.1 to access the Teamspeak server from the LAN, then your ACL would look like such:

ip access-list extended web-acl-70

     deny ip host 192.168.1.1 host xx.78.241.230

    permit ip any host xx.78.241.230

This would allow 192.168.1.1 to access the server but block all other users from accessing that IP.

I hope that answers your question but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

View solution in original post

0 Kudos
4 Replies
Anonymous
Not applicable

Re: Block ACL Issues

Jump to solution

- Thanks for posting your question on the forum!

Could you reply to this post with the configuration for us to review?  Please remember to remove any sensitive information. There are several ways to configure this, but it would be easier to explain within the context of your configuration if we could take a look.

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

yage
New Contributor II

Re: Block ACL Issues

Jump to solution

Hey Noor -

Sure, please see the attached 4430.conf.

Anonymous
Not applicable

Re: Block ACL Issues

Jump to solution

- I noticed that in the access-policy, the statement is this:

ip policy-class Private

  discard list web-acl-70

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/1 overload

Since you are using the "discard" action, your ACL will need to be configured so that the hosts that you want to allow to connect to the TeamSpeak server are 'denied', while the users you want to block are 'permitted'. I realize this sounds counterintuitive, but since you used the "discard" action, the router will take that action on traffic "permitted" by the ACL you referenced. For example, if you only wanted host 192.168.1.1 to access the Teamspeak server from the LAN, then your ACL would look like such:

ip access-list extended web-acl-70

     deny ip host 192.168.1.1 host xx.78.241.230

    permit ip any host xx.78.241.230

This would allow 192.168.1.1 to access the server but block all other users from accessing that IP.

I hope that answers your question but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

0 Kudos
yage
New Contributor II

Re: Block ACL Issues

Jump to solution

Thanks Noor - that did the trick.

It makes sense; if I used policy action allow I would then deny ip any host xx.78.241.230.

I marked your answer as Correct

Regards,

-Yage