09-21-2007 02:53 PM - edited 03-03-2019 06:52 PM
I am trying to block all outbound traffic except for certain ports. I tried
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 53
access-list 101 permit tcp any any eq www
access-list 101 permit ip any any
access-list 101 deny tcp any any
that dosent stop anything. I tried
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 53
access-list 101 permit tcp any any eq www
access-list 101 deny tcp any any
That stops everything. Any help would be great. Thanks
09-21-2007 04:25 PM
Access-list flow down so you put the most specific at the top and generalized ones at the bottom. On your first list you have permit ip any any which makes nothing blocked.
And if im not mistaken dns uses UDP also which is blocked in the second list.
09-22-2007 04:30 AM
Beside Kyle's post, where are you using this ACL, inside facing interface or outside facing interface? Also, in or out on the interface?
Reason I ask, with the explicit deny tcp any and the implicit deny all, your ACL needs to match the destination's port. I.e. the difference between inside in and outside out vs. inside out and outside in.
09-22-2007 05:36 PM
I am planning on applying this ACL to a fast ethernet port on the inside. So inside out.
09-22-2007 05:49 PM
If Im understanding you. You have a pc then router then internet. Your applying it on the pc side of the router going out. If you do that it examines the packets when they head out of the router towards the pc. You want to apply the access-list on the in so it examines them as they go into the router.
Hope it helps,
Kyle
09-23-2007 03:38 AM
If your LAN facing interface is something like FastEthernet 0/1 then you want:
Interface FastEthernet 0/1
no shutdown
description connected to EthernetLAN
ip address x.x.x.x x.x.x.x
ip access-group 101 in
NOT
Interface FastEthernet 0/1
no shutdown
description connected to EthernetLAN
ip address x.x.x.x x.x.x.x
ip access-group 101 out
PS:
Doing the above would restrict access to other internal interfaces, if any.
09-23-2007 04:54 AM
thanks to everyone. I Have everything working the way I had planned.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide