Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access list

i could just test this in the lab, but i want to run it by u guys...i created an extended acl with a deny as the first line, and permits there after...will that work?...

ip access-list extended test

deny tcp host 10.75.50.50 any www

permit icmp any any echo

permit icmp any any echo-reply

permit ip any any

thanks in advance

  • LAN Switching and Routing
3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: access list

It will block all TCP 80 traffic sourcing from host 10.75.50.50, but all other traffic will be allowed. Also you don't need the icmp permits, the ip any any covers icmp too (unless you're doing it for hit counts).

Hope that helps.

Re: access list

Yes this will work. This will block 10.75.50.50 from using web access.

Mark

Re: access list

You are correct. To make this ACL work it needs to be placed inbound because you are denying traffic coming into the router or switch. Here is a guide that will help you decide which direction to place the ACL.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#sourcedefine

Mark

7 REPLIES

Re: access list

It will block all TCP 80 traffic sourcing from host 10.75.50.50, but all other traffic will be allowed. Also you don't need the icmp permits, the ip any any covers icmp too (unless you're doing it for hit counts).

Hope that helps.

New Member

Re: access list

sweet...just want i tought...thanks

Re: access list

Yes this will work. This will block 10.75.50.50 from using web access.

Mark

Gold

Re: access list

Yes you can put a deny first.

in your case it will deny 10.75.50.50 access to port 80 on any server.

However I do not think you need the ICMP lines, unless you want logging on that specific instance. The IP any any covers that too.

if you want logging then just add log at the end of the line.

New Member

Re: access list

oh yeah, what always get me, is the "in" "out" statement on the interface...

i just tested this out and its the "in" statement to make this acl work...

Re: access list

You are correct. To make this ACL work it needs to be placed inbound because you are denying traffic coming into the router or switch. Here is a guide that will help you decide which direction to place the ACL.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#sourcedefine

Mark

New Member

Re: access list

thanks, that always confuses me...

126
Views
0
Helpful
7
Replies
This widget could not be displayed.