03-31-2009 07:12 AM - edited 03-04-2019 04:10 AM
I'm not that schooled on access lists at the moment so I need a little help with a configuration.
I want to deny all access to a specific interface except to allow http traffic.
interface that routes out to the internet is interface FastEthernet0/1 65.x.x.x
Interface that I want to deny all except http is FA3/0 192.x.x.x
Can someone help me out with this.
Thanks much
03-31-2009 07:16 AM
Honestly, the best approach is for you to read this tutorial on access lists because so much can be said and written.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
What you have to have figured out before you write the ACL is:
1.) Which addresses/networks/hosts do you want to permit.
2.) What do you want them to have access to when you permit them. (This is the difference between a standard and extended ACL).
3.) Whose traffic do you want to deny and which destinations, if not all of them, do you want to deny them access to. (Again, this is the difference between a standard and extended ACL).
[EDIT] As a footnote, you should understand that you are not permitting or denying traffic to an interface, per se. What you do with an ACL is basically post a guard -- a traffic filter -- that will permit traffic or deny it from entering or leaving the interface on its way to somewhere else. So, that is where the source addresses and destination address information comes in to play in the above steps I gave you). [EDIT]
HTH
Victor
03-31-2009 07:25 AM
Hi, you can write the following access-list:
access-list 100 permit tcp 192.x.x.x 0.0.0.255 any eq 80
and to apply this access-list to interface FA3/0 as follows:
int fa3/0
ip access-group 100 in
This way you permit only IPs from 192.x.x.x to any internet address on http port.
Regards
03-31-2009 08:11 AM
You absolutely can.
Just know that there is an implicit "deny" at the end of the ACL. So, you are right, hosts on the Class C subnet will be allowed to go to "any" address when they arrive on the Fa3/0 interface, and all other traffic will get blocked by the implicit deny.
Great job.
Victor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide