Solved: access list question

fran19422 · ‎08-30-2012

Hello, would this sequence of access list commands:

access-group 1 permit tcp any host 10.0.0.2 eq 80

access-group 1 deny ip any host 10.0.0.2

access-list 1 permit ip any any

achieve the following:

Allow http access from any host to 10.0.0.2 (external web server)

Deny all other access to 10.0.0.2 (external web server)

Allow all other access to the internal network ?

Thank you for any help.

John Blakley · ‎08-30-2012

Yes it would

Line 1 allows web access to 10.0.0.2

Line 2 denies all other traffic to 10.0.0.2

Line 3 permits everything else

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎08-30-2012

Yes it would

Line 1 allows web access to 10.0.0.2

Line 2 denies all other traffic to 10.0.0.2

Line 3 permits everything else

HTH,

John

HTH, John *** Please rate all useful posts ***

John Blakley · ‎08-30-2012

Um...it's late and I need to make a couple of corrections for you.

In order for the first line to permit a port, you need an extended access list, so your number needs to be between 100 - 199 or a named acl. The access-group command actually applies the access-list to the interface, so the original answer that I gave you was incorrect. Use the following to truly do what you're wanting to do. (You have to use extended acls to specify the protocol.)

access-list 100 permit tcp any host 10.0.0.2 eq 80

access-list 100 deny ip any host 10.0.0.2

access-list 100 permit ip any any

To apply it:

int fa0/1

ip access-group 100 in

HTH,

John

HTH, John *** Please rate all useful posts ***