Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Access-list doubt

Hi,

i wanted some of the public IP address to be restricted(not to allow internet access) as some them are using the public IP address without any information, i tried the following access-list in my cisco 1700 series router, the moment i issue the command i am not able to access internet(eevn with the ip address mentioned to permit the internet traffic). any suggestion would be appreciated.

Note: in this access-list i specified only the IP address which can access the internet, bcoz these ip address are our webserver/ftp/mail etc... rest of the ip address which are not mentioned will be denied by default(if i am not wrong)

interface serial 0

description ***Internet***

9.9.9.1 255.255.255.252

interface fastethernet 0

description ***LAN***

ip address 1.1.1.1 255.255.255.192

ip access-group 101 in

ip access-group 102 out

access-list 101 permit ip host 1.1.1.1 any

access-list 101 permit ip host 1.1.1.2 any

access-list 101 permit ip host 1.1.1.3 any

access-list 102 permit ip any host 1.1.1.1

access-list 102 permit ip any host 1.1.1.2

access-list 102 permit ip any host 1.1.1.3

5 REPLIES

Re: Access-list doubt

can you try to apply only ACL 101 inbound on your fastethernet0 interface and remove ACL 102 from fa0? ACL 101 will permit only hosts 1.1.1.1,.2,.3 to go outside which should serve your purpose I guess.

I don't think that there will be any need of ACL 102.

please try this out and let me know if it helps ... rate if it does ...

Re: Access-list doubt

Hi Sourab,

thanks for ur reply, my question again is, i tried applying the acl 101 inbound, but the connection gets lost. but when i say acl 101 outbound it works, but if some 1 from the internet does an ftp to my public ftp server, it sayz connected but will not ask for user name & passwd the connection gets closed, if i remove the acl it prompts for user name & passwd. any help.

Community Member

Re: Access-list doubt

Hi Anand

Can u plz clarify which direction u want to ristrict.

u want that ur some of LAn user cant get Access to internet or from internet ur ftp servers etc. (which r on ur LAN i think ) cant be accessed??

Re: Access-list doubt

i have got webserver/ftp/mailserver & Internet Gateway servers residing in my office with the public IP address, i wanted to allow only these ip address both in/out direction(reason bcoz only if i permit in/out i can do ftp & others from the internet can also do ftp to my servers), rest of the ip address should be restricted both in/out. to say in simply whatever ip address i list in the access-list should only be permitted & the rest should be restricted both way(in/out) or watt ever ip address i mention in the access-list it should be denied both in/out & rest of the ip address should be permitted both the way(in/out)

Community Member

Re: Access-list doubt

keep ur lan access list as it is.

apply following

int serial 0

access-group 102 in

access-list 102 permit ip any 1.1.1.1 0.0.0.3

i think it will work now

thanks,

152
Views
0
Helpful
5
Replies
CreatePlease to create content