ACL

Unanswered Question
Feb 1st, 2009
User Badges:

Hello

access-list 100 deny tcp any host 192.168.1.100 eq 80

*****

int fa 0/0 # ip access-group 100 out


is it the correct ACL to prevent the specified host from internet.

if not, could some one please correcting this.

thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Istvan_Rabai Sun, 02/01/2009 - 22:21
User Badges:
  • Gold, 750 points or more

Hi Ahmed,


This acl denies any outbound access to a web server under ip address 192.168.1.100.


To deny access of a specific host to any http service on the Internet:


access-list 100 deny tcp host 192.168.1.100 any eq 80


"int fa 0/0 # ip access-group 100 out"

This is OK if fa 0/0 is the Internet-facing interface.



Cheers:

Istvan



mszeftawy Mon, 02/02/2009 - 00:08
User Badges:

Hi Ahmed


and also dont forget the permit any at the end of the ACL, as any access list has a deny any statment at the end.


so as below


access-list 100 deny tcp host 192.168.1.100 any eq 80

access-list 100 permit ip any any


Giuseppe Larosa Mon, 02/02/2009 - 01:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ala,

nice to hear from you


be aware that TCP port 80 stays on the server side.


if f0/0 is your internal lan


access-list 100 deny tcp host 192.168.1.100 any eq 80

access-list 100 permit ip any any


int f0/0

ip access-group 100 in


if f0/0 is the WAN port (to internet)


int f0/0

ip access-group 100 out


the well known port follow the server side and you need to permit something or the ACL will deny everything.


Hope to help

Giuseppe


Actions

This Discussion