ā06-08-2016 08:36 AM - edited ā03-05-2019 04:11 AM
I have an ASR 1002x with 2 GIGe pipes setup bgp. Both ports have the ip access-list extended WAN_TO_LAN added as "in".
I would like to add to that acl to block all traffic from the internet to those ports except for eq 443. The IP I want to control is a public ip.
permit tcp xxx.49.xxx.8 0.0.0.255 any eq 443 does not work.
What am i missing?
ā06-08-2016 03:26 PM
Hi,
"permit tcp xxx.49.xxx.8 0.0.0.255 any eq 443" will permit any incoming traffic (assuming the ACL is applied inbound) with source as xxx.49.xxx.0/24 and destination as any address with TCP destination port as 443 (and source port as any). Is it what you want to permit?.
ā06-08-2016 04:38 PM
I only want to allow traffic on 443 to that ip. When i add that rule to the ACL that is applied as in and do a port scan there are still a ton of ports open.
ā06-08-2016 04:55 PM
Can you share the full config?. From where are you doing the port scan?.
ā06-08-2016 05:31 PM
I did the port scan from outside the network. I remoted into a computer at my house and did the port scan from there.
interface GigabitEthernet0/0/1
description ***blah***
ip address xx.164.248.34 255.255.255.252
no ip proxy-arp
ip nat outside
ip access-group WAN_TO_LAN in
negotiation auto
interface TenGigabitEthernet0/2/0
description ***blah***
ip address xx.85.243.82 255.255.255.252
ip nat outside
ip access-group WAN_TO_LAN in
ip access-list extended WAN_TO_LAN
permit ip host xx.85.254.162 any
remark **** blah ****
permit ip xx.60.160.0 0.0.1.255 any
remark **** blah ****
permit ip xx.60.162.192 0.0.0.63 any
permit tcp xxx.49.xxx.8 0.0.0.255 any eq 443
The other rules in the ACL work. Just not the last one.
TO recap;
I only want to allow traffic to ip xx.49.178.x (our email server) on port 443.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide