Access List Help

Answered Question
Oct 28th, 2013
User Badges:
  • Почетные Знаки Сообщества,

    Новичок, Январь 2014

Hi! I want to set acces sheets. There is a network:

  10.30.6.0 with a mask of 255.255.255.0, it is necessary that she went to the Internet on port 80 and 443, and the other ports are closed

10.30.7.0 with a mask of 255.255.255.0 went to the Internet for 80, and went over the network to address 10.50.51.250, and the rest are closed

10.30.9.0 had full access

Help set up ACL!???

Correct Answer by daniel.dib about 3 years 9 months ago

conf t

ip access-list extended NETWORK_6

permit tcp 10.30.6.0 0.0.0.255 any eq 80

permit tcp 10.30.6.0 0.0.0.255 any eq 443

deny ip any any

ip access-list extended NETWORK_7

permit tcp 10.30.7.0 0.0.0.255 any eq 80

permit ip 10.30.7.0 0.0.0.255 host 10.50.51.250

deny ip any any

ip access-list extended NETWORK_9

permit ip any any


However if you only open for 80 and 443, how do you handle DNS?

Also you have to think about return traffic if you want to do filtering.



Daniel Dib
CCIE #37149

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
daniel.dib Tue, 10/29/2013 - 00:18
User Badges:
  • Silver, 250 points or more

conf t

ip access-list extended NETWORK_6

permit tcp 10.30.6.0 0.0.0.255 any eq 80

permit tcp 10.30.6.0 0.0.0.255 any eq 443

deny ip any any

ip access-list extended NETWORK_7

permit tcp 10.30.7.0 0.0.0.255 any eq 80

permit ip 10.30.7.0 0.0.0.255 host 10.50.51.250

deny ip any any

ip access-list extended NETWORK_9

permit ip any any


However if you only open for 80 and 443, how do you handle DNS?

Also you have to think about return traffic if you want to do filtering.



Daniel Dib
CCIE #37149

Andrew Clark Tue, 10/29/2013 - 06:50
User Badges:

You don't need the deny ip any any at the end because the ACL has an explicit deny at the end of it.

daniel.dib Thu, 10/31/2013 - 00:25
User Badges:
  • Silver, 250 points or more

I know but I usually add it there for clarity.



Daniel Dib
CCIE #37149

Egor Khomenko Tue, 10/29/2013 - 19:57
User Badges:
  • Почетные Знаки Сообщества,

    Новичок, Январь 2014

Apply to the interface as a group?

and yet, as you can on this Vlan prisvoit.T.e. DHCP is set to distribute the network??

Egor Khomenko Wed, 10/30/2013 - 19:45
User Badges:
  • Почетные Знаки Сообщества,

    Новичок, Январь 2014

Thank you so much! I helped your article!

Actions

This Discussion