ACL commands

david19422 · ‎05-18-2012

Hello, I am trying to write an ACL to do the following:

- permit HTTP access to the web server 10.20.0.2/8

- deny all other access to the web server

- permit traffic to all other destinations

My attempt is:

permit tcp any 10.20.0.2 0.255.255.255 eq 80

deny ip any 10.20.0.2 0.255.255.255

permit ip any any

However I can still ping the web server at 10.20.0.2 so I have obviously not got the ACL right.

Can someone please advise how I should have written my ACL ?

Thanks for any help.

John Blakley · ‎05-18-2012

Dave,

Your acl would look like this:

permit tcp any host 10.20.0.2 eq 80

deny ip any host 10.20.0.2

permit ip any any

HTH,

John

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎05-19-2012

Dave

John has correctly identified an inconsistency in the mask used in your access list. But I believe that there may be more to the problem than the issue with the mask. If the access list in your original post were correctly applied on an IOS router then it looks to me like access for any non TCP traffic to network 10 would have been denied. So I believe that we need some additional information:

- what platform is this access list on? masking is quite different between IOS devices and the ASA for example. So what platform are we dealing with?

- How is the access list applied? If the access list is not applied at all, or is not applied to the correct interface, or is not applied in the correct direction then that would explain why you were able to ping the server.

HTH

Rick

HTH

Rick