Home page logo

nanog logo nanog mailing list archives

Re: Stupid Cisco ACL question
From: up () 3 am
Date: Thu, 21 Apr 2011 15:42:51 -0400

Thanks everyone, of course this is what I wanted.  Like I said, a stupid
ACL question...I'm blaming heavy medication, sorry for the noise!

On Thu, 21 Apr 2011, up () 3 am wrote:
permit tcp any eq 443 any
permit tcp any eq 80 any
deny ip any host
permit ip any any

This is applied to an inbound interface(s).  We want anybody outside to
able to reach ports 80 and 443 of any host on our network, no matter
then block ALL other access to select hosts, such as, even ICMP.
However, as soon as I apply this rule to the interface, ports 80 and 443
of that host become unreachable.  A telnet to 443 gets
refused" until I tear out the deny ACL above.  I even tried adding udp
both ports, to no avail.

Your ACL is apply the 80 & 443 as source ports, not destination ports.

You probably want:
    permit tcp any any eq 443
    permit tcp any any eq 80
    deny ip any host
    permit ip any any

Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford () uiowa edu, phone: 319-335-5555, fax: 319-335-2951

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]