https://community.cisco.com/t5/network-security/how-to-block-this-using-extended-acl/m-p/2005420#M921311 <P>Hi All, Here is the scenario which i am using</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/9/2/4/97429-Untitled.png" alt="Untitled.png" class="jive-image-thumbnail jive-image" width="450" /></P><P><STRONG style="text-decoration: underline;">TASK:</STRONG> I want to block all the data stream destined to 10.10.10.2 which travel <STRONG>from </STRONG>port 80 of http server.</P><P></P><P></P><P>I am trying the Extended access list as follows</P><P></P><P><STRONG>access-list 131 deny tcp host 10.10.10.1 eq www host 10.10.10.2<BR /></STRONG></P><P><STRONG>access-list 131 permit ip any any</STRONG></P><P><STRONG>ip access-group 131 out </STRONG>at FastEthernet interface of HTTP server router</P><P></P><P>However it is not working as expected, Everything works normal.Where i am wrong?</P> Fri, 21 Feb 2020 12:42:49 GMT veddotcom 2020-02-21T12:42:49Z https://community.cisco.com/t5/network-security/how-to-block-this-using-extended-acl/m-p/2005420#M921311 <P>Hi All, Here is the scenario which i am using</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/9/2/4/97429-Untitled.png" alt="Untitled.png" class="jive-image-thumbnail jive-image" width="450" /></P><P><STRONG style="text-decoration: underline;">TASK:</STRONG> I want to block all the data stream destined to 10.10.10.2 which travel <STRONG>from </STRONG>port 80 of http server.</P><P></P><P></P><P>I am trying the Extended access list as follows</P><P></P><P><STRONG>access-list 131 deny tcp host 10.10.10.1 eq www host 10.10.10.2<BR /></STRONG></P><P><STRONG>access-list 131 permit ip any any</STRONG></P><P><STRONG>ip access-group 131 out </STRONG>at FastEthernet interface of HTTP server router</P><P></P><P>However it is not working as expected, Everything works normal.Where i am wrong?</P> Fri, 21 Feb 2020 12:42:49 GMT https://community.cisco.com/t5/network-security/how-to-block-this-using-extended-acl/m-p/2005420#M921311 veddotcom 2020-02-21T12:42:49Z https://community.cisco.com/t5/network-security/how-to-block-this-using-extended-acl/m-p/2005421#M921312 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>In R1, just do this if you're plannin to block the source from the LAN in R1 to 10.10.10.2, and all should be good.</P><P></P><P>!</P><P>access-list 100 deny tcp any host 10.10.10.2 eq 80</P><P>access-list 100 permit ip any any</P><P>!</P><P>interface FastEthernet 0/0</P><P> description ### WAN Link ###</P><P> ip address 10.10.10.1 255.255.255.252</P><P>!</P><P>interface FastEthernet 0/1</P><P> description ### LAN Link ###</P><P> ip access-group 100 in</P><P>!</P><P></P><P></P><P>However, if you're trying to block R1 (from R1 itself) in reaching R2 10.10.10.2 via TCP/80, then you'll need to use the MPF method shown below;</P><P></P><P>!</P><P>class-map CM_HTTP</P><P> match access-group 100</P><P>!</P><P>policy-map PM_HTTP</P><P> class CM_HTTP</P><P>&nbsp; drop</P><P>!</P><P>control-plane</P><P> service-policy output PM_HTTP</P><P>!</P><P></P><P></P><P></P><P><STRONG>P/S: If you think this comment is useful, please do rate them nicely <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></STRONG></P></BODY></HTML> Sun, 19 Aug 2012 23:15:27 GMT https://community.cisco.com/t5/network-security/how-to-block-this-using-extended-acl/m-p/2005421#M921312 Ramraj Sivagnanam Sivajanam 2012-08-19T23:15:27Z