help with acl on cisco 1841

Unanswered Question
Feb 27th, 2008

Hi all. I have a cisco 1841 which i use to segregrate 2 private lans.

The commands below shows one of my fast ethernet int which i place acl on.

interface FastEthernet0/1

description $ETH-LAN$

ip address

ip access-group 100 out

duplex auto

speed auto

access-list 100 permit icmp any any

access-list 100 permit tcp host eq www

access-list 100 permit tcp host established

My objective is to allow subnet to be able to access on port 80 only. However with my acl implemented as shown i could access even through rdp. But the ACLs manage to prevent access to other workstations on Can anyone advise me what is wrong with my acl?

Another query is the command "access-list 100 permit tcp host established". I believe this command is to allow incoming packets only after any station on subnet has initiated the connection. Hence i feel this acl should be place in fa0/1 incoming traffic instead of outgoing traffic. Hence it should be "access-list 110 permit tcp host established" with "ip access-group 110 in". However when i try to place that acl on incoming traffic, no traffic could pass through. Pls advise.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
donnie Wed, 02/27/2008 - 09:53

Hi whisperwind,

I manage to solve the prob by using the below acl that is still applied to my outbound packet. Now my network can only access on port 80 and nothing else.

access-list 100 permit tcp host eq 80 established

The difference is by specifying port 80 for I understand that this acl with the established command should be applied for inbound packet. But when i applied it to inbound, all the routing in my cisco1841 fail to function even though i included only 1 line eg "access-list 100 permit tcp host established" and applied this 1 line acl to my inbound packet for fa0/1. Why is this so? Thks in advance.

Richard Burts Wed, 02/27/2008 - 10:45


You also posted this question on the LAN Switching and Routing forum where I have posted an answer which explains the issue with the access list and the placement of the access list. Please look to that forum for the answer.




This Discussion