Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL issue


I have applied the following extended ACL to one of our Vlans but it does not seem to be working. I am able to access the web site and telnet successfully to the host

ip access-list extended ExternalVlan

permit tcp host eq 510

permit tcp host eq smtp

permit tcp host eq www

permit tcp host eq pop3

permit tcp any eq www

permit tcp any eq 443

permit tcp any eq ftp

deny tcp host eq www

deny tcp host eq telnet

The host is a Cisco 3550 layer 3 switch (IOS: 12.1)that does the inter-Vlan routing. The network has a Dhcp server that is functioning properly. The host is the Firewall and the gateway to the Internet. What seems to be the problem with this ACL?



Re: ACL issue

This line, specifically the "any" statement, is permitting your port 80 traffic...

permit tcp any eq www

The telnet traffic is permitted because this ACL applies to traffic passing through the Switch and not to traffic terminating on the Switch.


New Member

Re: ACL issue


Thank you so much for your reply. How can I add these deny statements to the ACL list and make them work?

Would something like following work?

Deny tcp host eq www

Permit tcp any eq www

What would be the best way to block telnet session to the Cisco switch (host from subnet

Thanks again,

Hossein Kholghi

Re: ACL issue

"Deny tcp host eq www

Permit tcp any eq www"

Correct. Put your specific denies above your general permits.

For telnet do something like this...


ip access-list standard TELNET


permit ?.?.?.? ?.?.?.? (Define what addresses can telnet to the device)


line vty 0 4

access-class TELNET in


Now be careful you don't lock yourself out when applying hte access class to the vty lines. Make sure your computer is in the permit statement.