Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

simple ACL question

I have a PC in a lobby open to public that I wish to allow access to the internet only, but I want to be able to remote control the PC from another office if necessary. I want to allow all other PCs at this location unrestricted access to the network.

The PC is IP 192.168.31.250 255.255.255.0, on the 192.168.31.0 network segment. The switch is a 2950 and the router is a 1751.

I can’t to limit it at the switch, is it possible?

I’ve come up the following ACL

access-list 101 permit tcp host 172.16.31.250 any eq 443

access-list 101 permit tcp host 172.16.31.250 any eq www

access-list 101 permit tcp host 172.16.31.250 any eq domain

access-list 101 permit tcp host 172.16.31.250 any established

access-list 101 deny tcp host 172.16.31.250 any

access-list 101 deny icmp host 172.16.31.250 any

access-list 101 permit tcp any any

Applied in on the Ethernet port of the router.

It does not do what I hoped, what am I doing wrong?

Thanks,

Andy

2 REPLIES
Gold

Re: simple ACL question

for dns, it's udp 53 not tcp 53.

New Member

Re: simple ACL question

If you want to allow access to the Internet only, it might be easier to use an acl like this:

access-list 101 deny ip host 172.16.31.250 10.0.0.0 0.255.255.255

access-list 101 deny ip host 172.16.31.250 172.16.0.0 0.15.255.255

access-list 101 deny ip host 172.16.31.250 192.168.0.0 0.0.255.255

access-list 101 permit ip any any

The idea is to deny access to the networks you're using but allow anything else.

105
Views
0
Helpful
2
Replies