Access List Question

Unanswered Question
Mar 31st, 2009

I'm not that schooled on access lists at the moment so I need a little help with a configuration.

I want to deny all access to a specific interface except to allow http traffic.

interface that routes out to the internet is interface FastEthernet0/1 65.x.x.x

Interface that I want to deny all except http is FA3/0 192.x.x.x

Can someone help me out with this.

Thanks much

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Tue, 03/31/2009 - 07:16

Honestly, the best approach is for you to read this tutorial on access lists because so much can be said and written.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

What you have to have figured out before you write the ACL is:

1.) Which addresses/networks/hosts do you want to permit.

2.) What do you want them to have access to when you permit them. (This is the difference between a standard and extended ACL).

3.) Whose traffic do you want to deny and which destinations, if not all of them, do you want to deny them access to. (Again, this is the difference between a standard and extended ACL).

[EDIT] As a footnote, you should understand that you are not permitting or denying traffic to an interface, per se. What you do with an ACL is basically post a guard -- a traffic filter -- that will permit traffic or deny it from entering or leaving the interface on its way to somewhere else. So, that is where the source addresses and destination address information comes in to play in the above steps I gave you). [EDIT]

HTH

Victor

zenon_electronics Tue, 03/31/2009 - 07:25

Hi, you can write the following access-list:

access-list 100 permit tcp 192.x.x.x 0.0.0.255 any eq 80

and to apply this access-list to interface FA3/0 as follows:

int fa3/0

ip access-group 100 in

This way you permit only IPs from 192.x.x.x to any internet address on http port.

Regards

lamav Tue, 03/31/2009 - 08:11

You absolutely can.

Just know that there is an implicit "deny" at the end of the ACL. So, you are right, hosts on the Class C subnet will be allowed to go to "any" address when they arrive on the Fa3/0 interface, and all other traffic will get blocked by the implicit deny.

Great job.

Victor

Actions

This Discussion