08-30-2012 06:36 PM - edited 03-07-2019 08:37 AM
Hello, would this sequence of access list commands:
access-group 1 permit tcp any host 10.0.0.2 eq 80
access-group 1 deny ip any host 10.0.0.2
access-list 1 permit ip any any
achieve the following:
Allow http access from any host to 10.0.0.2 (external web server)
Deny all other access to 10.0.0.2 (external web server)
Allow all other access to the internal network ?
Thank you for any help.
Solved! Go to Solution.
08-30-2012 07:39 PM
Yes it would
Line 1 allows web access to 10.0.0.2
Line 2 denies all other traffic to 10.0.0.2
Line 3 permits everything else
HTH,
John
08-30-2012 07:39 PM
Yes it would
Line 1 allows web access to 10.0.0.2
Line 2 denies all other traffic to 10.0.0.2
Line 3 permits everything else
HTH,
John
08-30-2012 08:25 PM
Um...it's late and I need to make a couple of corrections for you.
In order for the first line to permit a port, you need an extended access list, so your number needs to be between 100 - 199 or a named acl. The access-group command actually applies the access-list to the interface, so the original answer that I gave you was incorrect. Use the following to truly do what you're wanting to do. (You have to use extended acls to specify the protocol.)
access-list 100 permit tcp any host 10.0.0.2 eq 80
access-list 100 deny ip any host 10.0.0.2
access-list 100 permit ip any any
To apply it:
int fa0/1
ip access-group 100 in
HTH,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide