Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

simple ACL question

I have a PC in a lobby open to public that I wish to allow access to the internet only, but I want to be able to remote control the PC from another office if necessary. I want to allow all other PCs at this location unrestricted access to the network.

The PC is IP 192.168.31.250 255.255.255.0, on the 192.168.31.0 network segment. The switch is a 2950 and the router is a 1751.

I can’t to limit it at the switch, is it possible?

I’ve come up the following ACL

access-list 101 permit tcp host 172.16.31.250 any eq 443

access-list 101 permit tcp host 172.16.31.250 any eq www

access-list 101 permit tcp host 172.16.31.250 any eq domain

access-list 101 permit tcp host 172.16.31.250 any established

access-list 101 deny tcp host 172.16.31.250 any

access-list 101 deny icmp host 172.16.31.250 any

access-list 101 permit tcp any any

Applied in on the Ethernet port of the router.

It does not do what I hoped, what am I doing wrong?

Thanks,

Andy

3 REPLIES

Re: simple ACL question

To me this access list looks pretty wide open with TCP.

You may have an issue with Domain lookups too it usually uses UDP.

Why is it that the IP addresses do not match up? 192.168.31.250 does not match 172.16.31.250. Are you doing some natting somewhere?

Why don't you add log to the end of each line and see where the list is going wrong?

Make sure you have logging enable on the router.

As for remote access you will need to verify what ports your remote access application uses and I would apply it to the WAN interface of the router.

Mike

VIP Purple

Re: simple ACL question

Hello Andy,

your access list actually looks ok, what exactly is not working ?

Qssuming that your specific host has IP address 192.168.31.250, and your network is 192.168.31.0/24, the access list should look like this:

access-list 101 permit tcp host 192.168.31.250 any eq www

access-list 101 permit tcp host 192.168.31.250 any eq 443

access-list 101 permit tcp host 192.168.31.250 any eq domain

--> these 3 lines allow your host to access and browse the Internet

access-list 101 permit tcp host 192.168.31.250 any established

--> this line allows any host to access your 192.168.31.250 machine only if the connection has been established from the outside (that is, 192.168.31.250 cannot talk to the other hosts unless the other hosts talk to 192.168.31.250 first

access-list 101 deny ip any any log

-->as suggested in the other post, this statement is useful to find out where the access list might not be working correctly.

Apply the access list inbound on the switchport of the 2950 where 192.168.31.250 is connected to.

HTH,

GP

New Member

Re: simple ACL question

Yes, I made a mistake in my post- all addresses are 192.168.x.x

I will get a log and post

Thaks

140
Views
0
Helpful
3
Replies
CreatePlease to create content