Support
Community

yage · ‎06-12-2013

Hi -

I am trying to block some users from connecting to a TeamSpeak server. I have created an ACL in the private policy class and tired everything from blocking the IP outright, to blocking all the teamspeak ports. I have placed this rule above everything else in the private class, and used policy action discard. It would appear no matter what I try I cannot prevent users from connecting. What am I missing?

Teamspeak Host: xx.78.241.230

Extended IP access list web-acl-70

remark TeamSpeak

deny ip any host xx.78.241.230 log (5 matches)

deny udp any any eq 8766 log (0 matches)

deny udp any any eq 8767 log (0 matches)

Thanks

Message was edited by: noor
Removed public IP information

Anonymous · ‎06-13-2013

- I noticed that in the access-policy, the statement is this:

ip policy-class Private

discard list web-acl-70

allow list self self

nat source list wizard-ics interface gigabit-ethernet 0/1 overload

Since you are using the "discard" action, your ACL will need to be configured so that the hosts that you want to allow to connect to the TeamSpeak server are 'denied', while the users you want to block are 'permitted'. I realize this sounds counterintuitive, but since you used the "discard" action, the router will take that action on traffic "permitted" by the ACL you referenced. For example, if you only wanted host 192.168.1.1 to access the Teamspeak server from the LAN, then your ACL would look like such:

ip access-list extended web-acl-70

deny ip host 192.168.1.1 host xx.78.241.230

permit ip any host xx.78.241.230

This would allow 192.168.1.1 to access the server but block all other users from accessing that IP.

I hope that answers your question but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

View solution in original post

Anonymous · ‎06-13-2013

- Thanks for posting your question on the forum!

Could you reply to this post with the configuration for us to review? Please remember to remove any sensitive information. There are several ways to configure this, but it would be easier to explain within the context of your configuration if we could take a look.

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

yage · ‎06-13-2013

Hey Noor -

Sure, please see the attached 4430.conf.

Anonymous · ‎06-13-2013

- I noticed that in the access-policy, the statement is this:

ip policy-class Private

discard list web-acl-70

allow list self self

nat source list wizard-ics interface gigabit-ethernet 0/1 overload

Since you are using the "discard" action, your ACL will need to be configured so that the hosts that you want to allow to connect to the TeamSpeak server are 'denied', while the users you want to block are 'permitted'. I realize this sounds counterintuitive, but since you used the "discard" action, the router will take that action on traffic "permitted" by the ACL you referenced. For example, if you only wanted host 192.168.1.1 to access the Teamspeak server from the LAN, then your ACL would look like such:

ip access-list extended web-acl-70

deny ip host 192.168.1.1 host xx.78.241.230

permit ip any host xx.78.241.230

This would allow 192.168.1.1 to access the server but block all other users from accessing that IP.

I hope that answers your question but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

yage · ‎06-13-2013

Thanks Noor - that did the trick.

It makes sense; if I used policy action allow I would then deny ip any host xx.78.241.230.

I marked your answer as Correct

Regards,

-Yage

Support
Community

Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

SupportCommunity

Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

Re: Block ACL Issues

Support
Community