access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established
My objective is to allow 192.168.4.0/24 subnet to be able to access 192.168.1.204/24 on port 80 only. However with my acl implemented as shown i could access 192.168.1.204/24 even through rdp. But the ACLs manage to prevent access to other workstations on 192.168.1.0/24. Can anyone advise me what is wrong with my acl?
Another query is the command "access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established". I believe this command is to allow incoming packets only after any station on 192.168.4.0/24 subnet has initiated the connection. Hence i feel this acl should be place in fa0/1 incoming traffic instead of outgoing traffic. Hence it should be "access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" with "ip access-group 110 in". However when i try to place that acl on incoming traffic, no traffic could pass through. Pls advise.
The difference is by specifying port 80 for 192.168.1.204. I understand that this acl with the established command should be applied for inbound packet. But when i applied it to inbound, all the routing in my cisco1841 fail to function even though i included only 1 line eg "access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" and applied this 1 line acl to my inbound packet for fa0/1. Why is this so? Thks in advance.
You also posted this question on the LAN Switching and Routing forum where I have posted an answer which explains the issue with the access list and the placement of the access list. Please look to that forum for the answer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...