Access-list Help

Answered Question
May 24th, 2007

Hi everybody, i just have a quetion about an access-list statement.

access-list 107 deny tcp 207.16.12.0 0.0.3.255 any eq http

access-list 107 permit ip any any

In the answer (given in a book written by Todd lammle a cisco leading authority on Cisco networking), it is explicitely specified that if the destination application is http, the statement will permit any host between 12 and 15 in the thrid octet.

That means for isntance IP source 207.16.13.14 , destination app: http WILL be PERMITTED.

I think right the opposite.

May be i am wrong about using wilcards mask.

Please help ASAP

I have this problem too.
0 votes
Correct Answer by CSCO10892433 about 9 years 6 months ago

Hi, farellfollly

You are correct.

In the following statement:

if the destination application is http, the statement will PERMIT any host between 12 and 15 in the thrid octet.

The word PERMIT should be changed to DENY.

HTH

SSLIN

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
CSCO10892433 Thu, 05/24/2007 - 03:30

Hi, farellfollly

You are correct.

In the following statement:

if the destination application is http, the statement will PERMIT any host between 12 and 15 in the thrid octet.

The word PERMIT should be changed to DENY.

HTH

SSLIN

farellfolly Fri, 05/25/2007 - 02:45

Hi i still have another question about access-lists.

There are four routers connected together like a hub on spoke topology. The central router A is connected to internet and the three others Miami,LA and Chicago are connected to it.

So the goal is to PERMIT hosts at LA and Chicago to access web ressources on the internet, but NOT hosts in Miami subnet. Also we do not want anyone NOT in Miami to access web sites hosted in Miami.

Assuming that the hosts subnets at Miami are are associated with 192.168.1.0/24, Chicago with 192.168.2.0/24 and LA with 192.168.3.0/24, which of the following lines might be use in an ACL to accomplish the task if the last line of the ACL is

access-list 110 permit ip any any ?

A. access-list 110 deny tcp 192.168.0.0 0.0.0.255 any eq 80

B. access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq 80

C. access-list 110 deny tcp any 192.168.0.0 0.0.0.255 eq 80

D access-list 110 permit tcp any 192.168.0.0 0.0.0.255 eq 80

The answer he gave was A and C, but as far as i am concerned i only answered C and guessed another ACL command was missing in the choices listed (or incorrectly written).

If we add "A" we're not blocking only hosts in Miami to access the internet but also LA et Chicago's!!! Or we have to change the wilcard mask and/or address(in my opinion)

Please help me fix that shit!

mtechnology Mon, 06/04/2007 - 07:50

Hi try with bellow ACL

A. access-list 110 deny tcp 192.168.1.0 0.0.0.255 any eq 80

Actions

This Discussion