Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACLs on 3550-EMI

Greetings,

I'm trying to figure out how to configure this ACL to allow access to the Internet for VLAN 20. I got it to work but I'm wondering if I can be more specific than:

permit tcp 10.0.7.0 0.0.0.255 any eq www

If there was an internal webserver, I wouldn't want them to have access and instead have a specific permit statement for that host.

Also is it correct that I need a permit statement to the default route? and the DNS server?

-----------

interface Vlan20

description VLAN 20 - Faculty_Staff

ip address 10.0.8.1 255.255.255.0 secondary

ip address 10.0.7.1 255.255.255.0

ip access-group FACULTY_STAFF in

ip helper-address 10.0.6.19

Int f0/48 is the connection to the PIX which is the default gateway.

interface FastEthernet0/48

description - to PIX

no switchport

ip address 10.0.4.2 255.255.255.0

---------

ip default-gateway 10.0.4.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.4.1

ip http server

---------------

permit ip 10.0.7.0 0.0.0.255 host 10.0.4.1

permit ip 10.0.7.0 0.0.0.255 host 10.0.4.2

permit ip 10.0.7.0 0.0.0.255 host X.X.X.X

permit tcp 10.0.7.0 0.0.0.255 any eq www

Thanks for your help, SG

3 REPLIES
Bronze

Re: ACLs on 3550-EMI

You can get specific down to the host level in an ACL, e.g. permit tcp host 10.0.7.5 any eq www. Your ACL will need to allow for outbound DNS queries, but you don't need anything else for web traffic to work -- the last statement's destination is "any", so that covers everything.

New Member

Re: ACLs on 3550-EMI

Thanks for the reply. So you're saying I'd need a permit statement for the DNS to allow for queries but not for the default route?

Also, I would like to have control over access to internal web servers. For example I would want to allow our Student VLAN access to any website etc, externally but only selective access to webservers on our internal network.

With the last statement destination of any, I realize this allows for web traffic to any host...does that apply to internal web hosts as well as external web hosts?

Thanks for your help, SG

Bronze

Re: ACLs on 3550-EMI

Yes, you'll need a permit statement for DNS. ACLs and routes aren't related to each other.

The last statement does indeed apply to internal and external networks -- the access list doesn't know which networks are internal and which aren't.

87
Views
0
Helpful
3
Replies
CreatePlease to create content