Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list for one protocol

I have a special isolated vlan setup on a 6509 switch. I would like devices in that vlan only to be able to leave the vlan over port 8080 (access to our proxy server) for web access. I would like to elminate all other outgoing and incoming traffic. I have done the following:

access-list 111 deny ip any any

access-list 112 permit tcp any any eq 8080

access-list 112 deny ip any any

I then applied this to the gateway of the vlan:

ip access-group 112 out

ip access-group 111 in

Is this correct? Would setting an inbound filter be a problem? As I mentioned, all I want is access to the proxy server for web browsing. Thanks in advance!

Bill

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Access list for one protocol

If you configure PCs on that VLAN to reach the proxy server by IP address instead of by name (or statically configure the name into their "hosts" files), and need absolutely nothing else across that link except proxied traffic, no other openings should need to be created.

3 REPLIES
Gold

Re: Access list for one protocol

This is a little backwards, also, you need to permit return traffic from the proxy server. Try this:

access-list 110 permit tcp any host [yourproxyserver] eq 8080

access-list 110 deny ip any any

access-list 120 permit tcp host [yourproxyserver] eq 8080 any

access-list 120 deny ip any any

interface Vlan123

ip access-group 110 in

ip access-group 120 out

There are many other ways you can write that, some tighter and some looser in security terms.

Be certain your devices can find your proxy server and anything else they need without using DNS, as you are not permitting any DNS traffic here.

New Member

Re: Access list for one protocol

Thank you for your post. Would I need to allow DNS information to pass through? Also, what about udp and any other traffic? Thanks!

Bill

Gold

Re: Access list for one protocol

If you configure PCs on that VLAN to reach the proxy server by IP address instead of by name (or statically configure the name into their "hosts" files), and need absolutely nothing else across that link except proxied traffic, no other openings should need to be created.

92
Views
4
Helpful
3
Replies
CreatePlease login to create content