Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL commands

Hello, I am trying to write an ACL to do the following:

- permit HTTP access to the web server 10.20.0.2/8

- deny all other access to the web server

- permit traffic to all other destinations

My attempt is:

permit tcp any 10.20.0.2 0.255.255.255 eq 80

deny ip any 10.20.0.2 0.255.255.255

permit ip any any

However I can still ping the web server at 10.20.0.2 so I have obviously not got the ACL right.

Can someone please advise how I should have written my ACL ?

Thanks for any help.

Everyone's tags (1)
2 REPLIES

ACL commands

Dave,

Your acl would look like this:

permit tcp any host 10.20.0.2 eq 80

deny ip any host 10.20.0.2

permit ip any any

HTH,

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Silver

ACL commands

Dave

John has correctly identified an inconsistency in the mask used in your access list. But I believe that there may be more to the problem than the issue with the mask. If the access list in your original post were correctly applied on an IOS router then it looks to me like access for any non TCP traffic to network 10 would have been denied. So I believe that we need some additional information:

- what platform is this access list on? masking is quite different between IOS devices and the ASA for example. So what platform are we dealing with?

- How is the access list applied? If the access list is not applied at all, or is  not applied to the correct interface, or is not applied in the correct direction then that would explain why you were able to ping the server.

HTH

Rick

471
Views
0
Helpful
2
Replies