cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
713
Views
0
Helpful
4
Replies

Access list complication

aadenitan
Level 1
Level 1

I am trying to permit some specific people have access to specific sites  while other users of the network get full access to all other sites.I have this configuration but it is not working :

ip access-list extended BLOCK

permit tcp host 192.168.2.108 host 62.173.38.89 eq www

permit tcp host 192.168.2.60 host 67.173.38.89 eq www

permit tcp host 192.168.2.93 host 67.173.38.89 eq www

permit tcp host 192.168.2.126 host 67.173.38.89 eq www

permit ip any any

I appplied to the interface where the traffic is coming from  like this :

Seedvest(config-if)#ip access-group BLOCK in

Please help.

1 Accepted Solution

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

The problem is that every statement in the access list is a permit and it ends with permit any any. So there is no packet that ever will be denied. The result is that every packet passes through.

I am not certain that I fully understand what you are trying to accomplish but I think that you have 4 specific hosts that you want to be able to access a specific destination. I am correct in understanding that these 4 hosts should access nothing else? If so then the solution is after the 4 specific permits you should have deny statements for those 4 specific hosts to anything else. Then have the permit any any.

If I have not understood correctly then please clarify.

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

The problem is that every statement in the access list is a permit and it ends with permit any any. So there is no packet that ever will be denied. The result is that every packet passes through.

I am not certain that I fully understand what you are trying to accomplish but I think that you have 4 specific hosts that you want to be able to access a specific destination. I am correct in understanding that these 4 hosts should access nothing else? If so then the solution is after the 4 specific permits you should have deny statements for those 4 specific hosts to anything else. Then have the permit any any.

If I have not understood correctly then please clarify.

HTH

Rick

HTH

Rick

Yes i have 4 specific hosts that i want to be able to access only a specific site.so that means i should have something like

ip access-list extended BLOCK

permit tcp host 192.168.2.108 host 62.173.38.89 eq www

deny tcp host 192.168.2.108 any eq www

permit ip any any

for all others too?

Thank you very much.It worked well

I am glad that my suggestion helped lead you to a solution for your question that works well for you. Thank you for using the rating system to mark the question as answered. It makes the forum more useful when people can read a question and can know that an answer was found. Your marking has contributed to that process.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco