simple ACL question

averheaghe · ‎11-15-2005

I have a PC in a lobby open to public that I wish to allow access to the internet only, but I want to be able to remote control the PC from another office if necessary. I want to allow all other PCs at this location unrestricted access to the network.

The PC is IP 192.168.31.250 255.255.255.0, on the 192.168.31.0 network segment. The switch is a 2950 and the router is a 1751.

I can’t to limit it at the switch, is it possible?

I’ve come up the following ACL

access-list 101 permit tcp host 172.16.31.250 any eq 443

access-list 101 permit tcp host 172.16.31.250 any eq www

access-list 101 permit tcp host 172.16.31.250 any eq domain

access-list 101 permit tcp host 172.16.31.250 any established

access-list 101 deny tcp host 172.16.31.250 any

access-list 101 deny icmp host 172.16.31.250 any

access-list 101 permit tcp any any

Applied in on the Ethernet port of the router.

It does not do what I hoped, what am I doing wrong?

Thanks,

Andy

jackko · ‎11-15-2005

for dns, it's udp 53 not tcp 53.

jeortiz · ‎11-18-2005

If you want to allow access to the Internet only, it might be easier to use an acl like this:

access-list 101 deny ip host 172.16.31.250 10.0.0.0 0.255.255.255

access-list 101 deny ip host 172.16.31.250 172.16.0.0 0.15.255.255

access-list 101 deny ip host 172.16.31.250 192.168.0.0 0.0.255.255

access-list 101 permit ip any any

The idea is to deny access to the networks you're using but allow anything else.