Solved: ACL to allow 80 only to wan

lukeprimm · ‎12-07-2011

I need to configure an ACL for a new wireless network to allow a subgroup of people access to the outside world with only limited local resources. I only want them to have port 80 traffic to the outside, not internally. Right now I have "10 permit tcp 10.0.54.0 0.0.0.255 any eq www" which allows the users to hit port 80 traffic all over the internal network. What would be the rule to just allow 80 to the internet? Thanks.

Extended IP access list 140

10 permit tcp 10.0.54.0 0.0.0.255 any eq www

20 permit tcp 10.0.54.0 0.0.0.255 any eq 443

40 permit udp 10.0.54.0 0.0.0.255 any eq domain

60 permit esp 10.0.54.0 0.0.0.255 any

70 permit gre 10.0.54.0 0.0.0.255 any

80 permit udp any any eq bootps

90 permit udp any any eq bootpc

100 permit tcp 10.0.54.0 0.0.0.255 any eq 5223

110 permit tcp 10.0.54.0 0.0.0.255 any eq 465

120 permit tcp 10.0.54.0 0.0.0.255 any eq 993

Ton V Engelen · ‎12-07-2011

Hi

assuming your inside network is all 10.x.x.x, i would do something like this

First deny port 80 to the inside network (10.0.0.0) and then allow port 80 to anything thats not in 10.0.0.0

10 deny tcp 10.0.54.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

20 permit tcp 10.0.54.0 0.0.0.255 any eq www

good luck!

View solution in original post

Ton V Engelen · ‎12-07-2011

Hi

assuming your inside network is all 10.x.x.x, i would do something like this

First deny port 80 to the inside network (10.0.0.0) and then allow port 80 to anything thats not in 10.0.0.0

10 deny tcp 10.0.54.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

20 permit tcp 10.0.54.0 0.0.0.255 any eq www

good luck!

lukeprimm · ‎12-07-2011

Great, thanks Ton