02-01-2009 09:41 PM - edited 03-04-2019 01:04 AM
Hello
access-list 100 deny tcp any host 192.168.1.100 eq 80
*****
int fa 0/0 # ip access-group 100 out
is it the correct ACL to prevent the specified host from internet.
if not, could some one please correcting this.
thank you
02-01-2009 10:21 PM
Hi Ahmed,
This acl denies any outbound access to a web server under ip address 192.168.1.100.
To deny access of a specific host to any http service on the Internet:
access-list 100 deny tcp host 192.168.1.100 any eq 80
"int fa 0/0 # ip access-group 100 out"
This is OK if fa 0/0 is the Internet-facing interface.
Cheers:
Istvan
02-02-2009 12:08 AM
Hi Ahmed
and also dont forget the permit any at the end of the ACL, as any access list has a deny any statment at the end.
so as below
access-list 100 deny tcp host 192.168.1.100 any eq 80
access-list 100 permit ip any any
02-02-2009 01:06 AM
Hello Ala,
nice to hear from you
be aware that TCP port 80 stays on the server side.
if f0/0 is your internal lan
access-list 100 deny tcp host 192.168.1.100 any eq 80
access-list 100 permit ip any any
int f0/0
ip access-group 100 in
if f0/0 is the WAN port (to internet)
int f0/0
ip access-group 100 out
the well known port follow the server side and you need to permit something or the ACL will deny everything.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide