Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

block all traffic except

I am trying to block all outbound traffic except for certain ports. I tried

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 permit ip any any

access-list 101 deny tcp any any

that dosent stop anything. I tried

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 53

access-list 101 permit tcp any any eq www

access-list 101 deny tcp any any

That stops everything. Any help would be great. Thanks

6 REPLIES
New Member

Re: block all traffic except

Access-list flow down so you put the most specific at the top and generalized ones at the bottom. On your first list you have permit ip any any which makes nothing blocked.

And if im not mistaken dns uses UDP also which is blocked in the second list.

Super Bronze

Re: block all traffic except

Beside Kyle's post, where are you using this ACL, inside facing interface or outside facing interface? Also, in or out on the interface?

Reason I ask, with the explicit deny tcp any and the implicit deny all, your ACL needs to match the destination's port. I.e. the difference between inside in and outside out vs. inside out and outside in.

New Member

Re: block all traffic except

I am planning on applying this ACL to a fast ethernet port on the inside. So inside out.

New Member

Re: block all traffic except

If Im understanding you. You have a pc then router then internet. Your applying it on the pc side of the router going out. If you do that it examines the packets when they head out of the router towards the pc. You want to apply the access-list on the in so it examines them as they go into the router.

Hope it helps,

Kyle

Super Bronze

Re: block all traffic except

If your LAN facing interface is something like FastEthernet 0/1 then you want:

Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 in

NOT

Interface FastEthernet 0/1

no shutdown

description connected to EthernetLAN

ip address x.x.x.x x.x.x.x

ip access-group 101 out

PS:

Doing the above would restrict access to other internal interfaces, if any.

New Member

Re: block all traffic except

thanks to everyone. I Have everything working the way I had planned.

262
Views
0
Helpful
6
Replies