Bloccare navigazione web a tutta la rete lan tranne a un pc

[Chick75]

Ciao a tutti, come da oggetto, ho la necessità di bloccare la navigazione internet (quindi solo in uscita) a tutti i pc client della mia lan (circa una decina) tranne ad uno solo il quale deve avere pieno accesso.. Non ne capisco molto di acl per cui vi chiedo gentilmente una manina...

P.S. Non badate ad alcuni errori in conf.. poi quelli li metterò a posto...

Grazie!!

QUesta la conf del 1841:

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key vpn
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description Connessione LAN$ETH-LAN$
ip address 192.168.69.250 255.255.255.0 secondary
ip address xxx.xx.xx.xxx 255.255.255.240
ip accounting output-packets
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description CVP HDSL 742023/78
no ip address
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
no fair-queue
frame-relay traffic-shaping
!
interface Serial0/0/0.1 point-to-point
description "Accesso Internet"
backup delay 1 30
backup interface Dialer1
ip address 151.x.xxx.xxx 255.255.255.192
ip access-group 110 in
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no cdp enable
frame-relay class 512
frame-relay interface-dlci 140
crypto map SDM_CMAP_1
!
interface Serial0/0/0.2 point-to-point
description "PVC di Management"
ip address 192.xxx.x.x 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
frame-relay interface-dlci 500
!
interface BRI0/1/0
description linea ISDN di Back Up <N.ISDN DEDICATA>
no ip address
encapsulation ppp
ip route-cache flow
load-interval 30
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
isdn send-alerting
no cdp enable
!
interface Dialer1
ip unnumbered Serial0/0/0.1
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer string xxxxxxxxxxx
dialer-group 1
no cdp enable
ppp pap sent-username xxx@xxxxxx password 7 00084101095205000033414F1D100616
!
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Serial0/0/0.1
network x.x.x.x
no auto-summary
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.10
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route x.x.x.x 255.255.255.0 Serial0/0/0.2
!
ip http server
no ip http secure-server
ip nat inside source route-map sdm_rmap_1 interface FastEthernet0/0 overload

!
!
map-class frame-relay 512
frame-relay cir 1984000
frame-relay bc 62000
frame-relay be 0
frame-relay mincir 512000
frame-relay adaptive-shaping becn
logging trap notifications
access-list 4 permit 192.168.69.0 0.0.0.255
access-list 4 permit x.x.x.0 0.0.0.255
access-list 4 permit x.x.x.224 0.0.0.15
access-list 4 deny any log
access-list 90 permit x.x.x.x
access-list 90 permit 1x.x.x.0 0.0.0.255
access-list 90 permit x.x.x.240 0.0.0.15
access-list 90 permit x.x.x.128 0.0.0.63
access-list 90 deny any log
access-list 100 deny icmp any any
access-list 100 permit ip any any

access-list 110 deny ip host x.x.x.x any
access-list 110 permit ip any any
access-list 110 permit tcp any any eq 1723
access-list 110 permit gre any any
dialer-list 1 protocol ip permit
snmp-server engineID local 00000009020000B0C2880073
snmp-server community cominfo RO 90
snmp-server community netcontrol RW 90
snmp-server trap-source Serial0/0/0.2
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server host x.x.x.x cominfo
no cdp run
route-map sdm_rmap_1 permit 1
match ip address 110
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
banner motd ^C





^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 4 in
exec-timeout 60 0
logging synchronous
transport input telnet
line vty 5 15
transport input telnet
!
scheduler allocate 4000 1000
end

[Terz]

con una veloce occhiata dire che se devi bloccare SOLO la navigazione da tutti i client meno 1 (e permettere il resto) farei un qualcosa tipo:

Codice: Seleziona tutto

access-list 101 permit tcp host <ip che può> any eq 80
access-list 101 permit tcp host <ip che può> any eq 443
access-list 101 deny tcp any any eq 80
access-list 101 deny tcp any any eq 443
access-list 101 permit ip any any

interface FastEthernet0/0
ip access-group 101 in

Ma magari l'esigenza è più dettagliata e sono necessarie considerazioni ulteriori....

[Chick75]

Ok grazie! Provo e ti faccio sapere!