Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List Question

I'm not that schooled on access lists at the moment so I need a little help with a configuration.

I want to deny all access to a specific interface except to allow http traffic.

interface that routes out to the internet is interface FastEthernet0/1 65.x.x.x

Interface that I want to deny all except http is FA3/0 192.x.x.x

Can someone help me out with this.

Thanks much


Re: Access List Question

Honestly, the best approach is for you to read this tutorial on access lists because so much can be said and written.

What you have to have figured out before you write the ACL is:

1.) Which addresses/networks/hosts do you want to permit.

2.) What do you want them to have access to when you permit them. (This is the difference between a standard and extended ACL).

3.) Whose traffic do you want to deny and which destinations, if not all of them, do you want to deny them access to. (Again, this is the difference between a standard and extended ACL).

[EDIT] As a footnote, you should understand that you are not permitting or denying traffic to an interface, per se. What you do with an ACL is basically post a guard -- a traffic filter -- that will permit traffic or deny it from entering or leaving the interface on its way to somewhere else. So, that is where the source addresses and destination address information comes in to play in the above steps I gave you). [EDIT]



New Member

Re: Access List Question

Hi, you can write the following access-list:

access-list 100 permit tcp 192.x.x.x any eq 80

and to apply this access-list to interface FA3/0 as follows:

int fa3/0

ip access-group 100 in

This way you permit only IPs from 192.x.x.x to any internet address on http port.



Re: Access List Question

You absolutely can.

Just know that there is an implicit "deny" at the end of the ACL. So, you are right, hosts on the Class C subnet will be allowed to go to "any" address when they arrive on the Fa3/0 interface, and all other traffic will get blocked by the implicit deny.

Great job.