Home page logo
/

nanog logo nanog mailing list archives

Re: Stupid Cisco ACL question
From: up () 3 am
Date: Thu, 21 Apr 2011 15:42:51 -0400


Thanks everyone, of course this is what I wanted.  Like I said, a stupid
ACL question...I'm blaming heavy medication, sorry for the noise!


On Thu, 21 Apr 2011, up () 3 am wrote:
permit tcp any eq 443 any
permit tcp any eq 80 any
deny ip any host 2.2.3.4
permit ip any any

This is applied to an inbound interface(s).  We want anybody outside to
be
able to reach ports 80 and 443 of any host on our network, no matter
what,
then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
However, as soon as I apply this rule to the interface, ports 80 and 443
of that host become unreachable.  A telnet to 2.2.3.4 443 gets
"Connection
refused" until I tear out the deny ACL above.  I even tried adding udp
for
both ports, to no avail.

Your ACL is apply the 80 & 443 as source ports, not destination ports.

You probably want:
    permit tcp any any eq 443
    permit tcp any any eq 80
    deny ip any host 2.2.3.4
    permit ip any any

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford () uiowa edu, phone: 319-335-5555, fax: 319-335-2951




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]