Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
4
Replies

Extended ACL help

Justb
Level 1
Level 1

‎02-17-2019 01:14 PM

Hi folks,

I'm trying to write an Extended ACL to do the following and running into a snag.  
This may be easy for most, but i'm new to writing ACLs.  Any help would be much appreciated !! 


 

The goal is to allow ONLY port 80 traffic from host C and D to host A , and block any other traffic from those two hosts.
All traffic from the Host B should be allowed. 



  • Permit Host C and Host D (172.16.53.67 and 172.16.101.3)  to access the web server ( 172.19.100.37)  ONLY on port 80.
  • All other traffic from these same two host such as pings etc must be denied. 
  • Permit all traffic from host B (172.16.200.41) to host A ( 172.19.100.37 )

    See attached screenshot for clarity. 

 

I've written about 20 versions of this ACL and still running to a road block.
Here is the final version i wrote , which works partially.
All three hosts get a destination unreachable on pings
All there hosts get a server rest connection on port 80 traffic

--------------------------------------------------------------------------------------------

So i've applied this ACL to inbound interface of Router # 3  


access-list 101 permit tcp 172.16.53.67 0.0.0.0 172.19.100.37 0.0.0.0 eq 80
access-list 101 permit tcp 172.16.101.3 0.0.0.0 172.19.100.37 0.0.0.0 eq 80
access-list 101 permit ip 172.16.200.41 0.0.0.0 172.19.100.37 0.0.0.0

access-list 101 deny any any

ip access-group 101 in

 


Help_community.PNG

 

 

 

Labels:
0 Helpful
4 Replies 4

luis_cordova
VIP Alumni
VIP Alumni

‎02-17-2019 03:08 PM

Hi @Justb,

 

At first glance the ACL looks ok.

Have you had any problems after applying it?

 

There is the option to use the "host" help:

 

access-list 101 permit tcp host 172.16.53.67 host 172.19.100.37  eq 80
access-list 101 permit tcp host 172.16.101.3 host 172.19.100.37 eq 80
access-list 101 permit ip host 172.16.200.41 host 172.19.100.37 

access-list 101 deny any any

 

Regards

0 Helpful

Justb
Level 1
Level 1
In response to luis_cordova

‎02-17-2019 03:49 PM

Hi,
I've had no problem applying the ACL.
I've tried both ways and still get " Destination host unreachable" from all three hosts


Extended IP access list 101
10 permit tcp host 172.16.53.67 host 172.19.100.37 eq www
20 permit tcp host 172.16.101.3 host 172.19.100.37 eq www
30 permit ip host 172.16.200.41 host 172.19.100.37
40 deny ip any any


0 Helpful

luis_cordova
VIP Alumni
VIP Alumni
In response to Justb

‎02-17-2019 04:15 PM

Hi @Justb,

 

If you can not find the solution, you can send us the compressed exercise to be able to review it.

 

Regards

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎02-17-2019 03:49 PM

on R3 in interface g/01
run this command.

ip access-group 101 out
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents