cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
905
Views
0
Helpful
4
Replies
Highlighted
Beginner

Extended ACL help

Hi folks,

I'm trying to write an Extended ACL to do the following and running into a snag.  
This may be easy for most, but i'm new to writing ACLs.  Any help would be much appreciated !! 


 

The goal is to allow ONLY port 80 traffic from host C and D to host A , and block any other traffic from those two hosts.
All traffic from the Host B should be allowed. 



  • Permit Host C and Host D (172.16.53.67 and 172.16.101.3)  to access the web server ( 172.19.100.37)  ONLY on port 80.
  • All other traffic from these same two host such as pings etc must be denied. 
  • Permit all traffic from host B (172.16.200.41) to host A ( 172.19.100.37 )

    See attached screenshot for clarity. 

 

I've written about 20 versions of this ACL and still running to a road block.
Here is the final version i wrote , which works partially.
All three hosts get a destination unreachable on pings
All there hosts get a server rest connection on port 80 traffic

--------------------------------------------------------------------------------------------

So i've applied this ACL to inbound interface of Router # 3  


access-list 101 permit tcp 172.16.53.67 0.0.0.0 172.19.100.37 0.0.0.0 eq 80
access-list 101 permit tcp 172.16.101.3 0.0.0.0 172.19.100.37 0.0.0.0 eq 80
access-list 101 permit ip 172.16.200.41 0.0.0.0 172.19.100.37 0.0.0.0

access-list 101 deny any any

ip access-group 101 in

 


Help_community.PNG

 

 

 

4 REPLIES 4
Highlighted
VIP Advisor

Hi @Justb,

 

At first glance the ACL looks ok.

Have you had any problems after applying it?

 

There is the option to use the "host" help:

 

access-list 101 permit tcp host 172.16.53.67 host 172.19.100.37  eq 80
access-list 101 permit tcp host 172.16.101.3 host 172.19.100.37 eq 80
access-list 101 permit ip host 172.16.200.41 host 172.19.100.37 

access-list 101 deny any any

 

Regards

Highlighted

Hi,
I've had no problem applying the ACL.
I've tried both ways and still get " Destination host unreachable" from all three hosts


Extended IP access list 101
10 permit tcp host 172.16.53.67 host 172.19.100.37 eq www
20 permit tcp host 172.16.101.3 host 172.19.100.37 eq www
30 permit ip host 172.16.200.41 host 172.19.100.37
40 deny ip any any


Highlighted

Hi @Justb,

 

If you can not find the solution, you can send us the compressed exercise to be able to review it.

 

Regards

Highlighted
VIP Collaborator

on R3 in interface g/01
run this command.

ip access-group 101 out
Jaderson Pessoa
*** Rate All Helpful Responses ***
Content for Community-Ad