Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Extended ACL Issue

I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.

I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.

ip-access-list extended ACL_TCP

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established

permit tcp any any established

Is there a better way to do this? Does this extended ACL work for my purpose?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Extended ACL Issue

Say R2's address is 192.168.1.2, and you want to only allow that address. You would create the acl on R1 and R3, and they would look like:

R1: 192.168.1.1

R3: 192.168.1.3

access-list 23 permit host 192.168.1.2

you can apply this to your line on R1 and R3:

line vty 0 4

access-class 23 in

HTH,

John

HTH, John *** Please rate all useful posts ***

Re: Extended ACL Issue

If fa0/0 is your internet-facing side, then yes it would. Your fa0/1 would be lan-facing. Wherever you put the public ip address that the provider gives you is where you'd put the acl, and it would go in the inbound direction.

access-class can use either standard or extended acls.

ip access-list ext TELNET

permit ip host 192.168.1.2 any eq 23

line vty 0 4

access-class TELNET in

That should work =)

HTH,

John

HTH, John *** Please rate all useful posts ***
7 REPLIES

Re: Extended ACL Issue

What direction did you apply this? I'm assuming in the inbound direction?

Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.

Try the following:

ip access-list ext ACL_TCP

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet

Apply to your loopback:

ip access-group ACL_TCP in

Next question:

Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: Extended ACL Issue

Thank you for the help! I figured it would be easier just to do the three statements than what I was trying to do.

Its applied to the inbound interface correct. I figured that was the correct way to stop those three to getting to PC1.

In this excersise, there is an internet cloud not connected to any physical interface but just the loop back. The two physical interfaces are connected to R1 and R3.

Another question I have is still pertaining to ACL's. It says Allow telnet to R1 and R3 from R2 only. I am kinda confused on this one.

Re: Extended ACL Issue

Say R2's address is 192.168.1.2, and you want to only allow that address. You would create the acl on R1 and R3, and they would look like:

R1: 192.168.1.1

R3: 192.168.1.3

access-list 23 permit host 192.168.1.2

you can apply this to your line on R1 and R3:

line vty 0 4

access-class 23 in

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: Extended ACL Issue

Ok that makes sense, I was confused because how it was worded. The telnet would be a standard ACL?

The previous question I had about the extended ACL, apparently that loopback will be on a f0/0. So I would apply that extended ACL on that interface on the inbound correct?

Re: Extended ACL Issue

If fa0/0 is your internet-facing side, then yes it would. Your fa0/1 would be lan-facing. Wherever you put the public ip address that the provider gives you is where you'd put the acl, and it would go in the inbound direction.

access-class can use either standard or extended acls.

ip access-list ext TELNET

permit ip host 192.168.1.2 any eq 23

line vty 0 4

access-class TELNET in

That should work =)

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: Extended ACL Issue

Thank you very much for your input! If I have any more issues with ACL's I will post more in this thread.

You helped me clear up a-lot of stuff.

Re: Extended ACL Issue

Always glad to hear it helped :)

I realized I made a typo:

I put ip on the acl, but it should be tcp if you're going to use the port on the end of the acl. Otherwise, it would just be:

permit ip host 192.168.1.1 any

:)

Thanks for the ratings!!

John

HTH, John *** Please rate all useful posts ***
174
Views
5
Helpful
7
Replies
CreatePlease to create content