Re: Access List to restrict HTTP, HTTPS and DNS access on LAN

osmansmalik · ‎02-14-2008

I need to restrict the LAN to only access HTTP, HTTPS and DNS. All other access to the internet should be deny. I need help creating access-lists to restrict access. Int fas0 is LAN and int fas4 is the WAN. Any help will be appreciated.

Thanks,

Osman

ghostswitch · ‎02-14-2008

en

config t

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 443

access-list 100 permit tcp any any eq 53

int fas4

ip access-group 100 out

*this will allow users on the lan to access http (80), https (443), and dns (53). all other traffic out the wan interface will be implicitly denied.

gauravshar · ‎02-14-2008

I think this access list should be applied at fas0 interface because if he apply this on wan interface it will block the access of these ports for all the LAN interfaces i.e. the whole vlan 10. He just want to block these port accesses at LAN connected to fas0.

This is what I understood after reading his post.

--gaurav

osmansmalik · ‎02-15-2008

Yes Guarav. Actually i want everything allowed to the tunnel interface and restrict internet access to HTTP, HTTPS and DNS.

All Lan traffic will be on VLAN 10.

Not sure where to apply those acls and what direction it should be.

Fas0 - LAN interface

Fas4 - Wan interface to internet.

Thanks,

Osman