02-27-2008 08:24 AM - edited 03-11-2019 05:09 AM
Hi all. I have a cisco 1841 which i use to segregrate 2 private lans.
The commands below shows one of my fast ethernet int which i place acl on.
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.4.253 255.255.255.0
ip access-group 100 out
duplex auto
speed auto
access-list 100 permit icmp any any
access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www
access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established
My objective is to allow 192.168.4.0/24 subnet to be able to access 192.168.1.204/24 on port 80 only. However with my acl implemented as shown i could access 192.168.1.204/24 even through rdp. But the ACLs manage to prevent access to other workstations on 192.168.1.0/24. Can anyone advise me what is wrong with my acl?
Another query is the command "access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established". I believe this command is to allow incoming packets only after any station on 192.168.4.0/24 subnet has initiated the connection. Hence i feel this acl should be place in fa0/1 incoming traffic instead of outgoing traffic. Hence it should be "access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" with "ip access-group 110 in". However when i try to place that acl on incoming traffic, no traffic could pass through. Pls advise.
02-27-2008 08:45 AM
Apply the ACL inbound
02-27-2008 09:53 AM
Hi whisperwind,
I manage to solve the prob by using the below acl that is still applied to my outbound packet. Now my 192.168.4.0 network can only access 192.168.1.204 on port 80 and nothing else.
access-list 100 permit tcp host 192.168.1.204 eq 80 192.168.4.0 0.0.0.255 established
The difference is by specifying port 80 for 192.168.1.204. I understand that this acl with the established command should be applied for inbound packet. But when i applied it to inbound, all the routing in my cisco1841 fail to function even though i included only 1 line eg "access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" and applied this 1 line acl to my inbound packet for fa0/1. Why is this so? Thks in advance.
02-27-2008 10:45 AM
wenbin
You also posted this question on the LAN Switching and Routing forum where I have posted an answer which explains the issue with the access list and the placement of the access list. Please look to that forum for the answer.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide