Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
3
Replies

Access List Question

dj214
Level 1
Level 1

‎03-31-2009 07:12 AM - edited ‎03-04-2019 04:10 AM

I'm not that schooled on access lists at the moment so I need a little help with a configuration.

I want to deny all access to a specific interface except to allow http traffic.

interface that routes out to the internet is interface FastEthernet0/1 65.x.x.x

Interface that I want to deny all except http is FA3/0 192.x.x.x

Can someone help me out with this.

Thanks much

Labels:
0 Helpful
3 Replies 3

lamav
Level 8
Level 8

‎03-31-2009 07:16 AM

Honestly, the best approach is for you to read this tutorial on access lists because so much can be said and written.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

What you have to have figured out before you write the ACL is:

1.) Which addresses/networks/hosts do you want to permit.

2.) What do you want them to have access to when you permit them. (This is the difference between a standard and extended ACL).

3.) Whose traffic do you want to deny and which destinations, if not all of them, do you want to deny them access to. (Again, this is the difference between a standard and extended ACL).

[EDIT] As a footnote, you should understand that you are not permitting or denying traffic to an interface, per se. What you do with an ACL is basically post a guard -- a traffic filter -- that will permit traffic or deny it from entering or leaving the interface on its way to somewhere else. So, that is where the source addresses and destination address information comes in to play in the above steps I gave you). [EDIT]

HTH

Victor

0 Helpful

zenon_electronics
Level 1
Level 1

‎03-31-2009 07:25 AM

Hi, you can write the following access-list:

access-list 100 permit tcp 192.x.x.x 0.0.0.255 any eq 80

and to apply this access-list to interface FA3/0 as follows:

int fa3/0

ip access-group 100 in

This way you permit only IPs from 192.x.x.x to any internet address on http port.

Regards

0 Helpful

lamav
Level 8
Level 8
In response to zenon_electronics

‎03-31-2009 08:11 AM

You absolutely can.

Just know that there is an implicit "deny" at the end of the ACL. So, you are right, hosts on the Class C subnet will be allowed to go to "any" address when they arrive on the Fa3/0 interface, and all other traffic will get blocked by the implicit deny.

Great job.

Victor

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card