ACL

Unanswered Question
Feb 1st, 2009

Hello

access-list 100 deny tcp any host 192.168.1.100 eq 80

*****

int fa 0/0 # ip access-group 100 out

is it the correct ACL to prevent the specified host from internet.

if not, could some one please correcting this.

thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Istvan_Rabai Sun, 02/01/2009 - 22:21

Hi Ahmed,

This acl denies any outbound access to a web server under ip address 192.168.1.100.

To deny access of a specific host to any http service on the Internet:

access-list 100 deny tcp host 192.168.1.100 any eq 80

"int fa 0/0 # ip access-group 100 out"

This is OK if fa 0/0 is the Internet-facing interface.

Cheers:

Istvan

mszeftawy Mon, 02/02/2009 - 00:08

Hi Ahmed

and also dont forget the permit any at the end of the ACL, as any access list has a deny any statment at the end.

so as below

access-list 100 deny tcp host 192.168.1.100 any eq 80

access-list 100 permit ip any any

Giuseppe Larosa Mon, 02/02/2009 - 01:06

Hello Ala,

nice to hear from you

be aware that TCP port 80 stays on the server side.

if f0/0 is your internal lan

access-list 100 deny tcp host 192.168.1.100 any eq 80

access-list 100 permit ip any any

int f0/0

ip access-group 100 in

if f0/0 is the WAN port (to internet)

int f0/0

ip access-group 100 out

the well known port follow the server side and you need to permit something or the ACL will deny everything.

Hope to help

Giuseppe

Actions

This Discussion