cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
0
Helpful
3
Replies

help with acl on cisco 1841

donnie
Level 1
Level 1

Hi all. I have a cisco 1841 which i use to segregrate 2 private lans.

The commands below shows one of my fast ethernet int which i place acl on.

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.4.253 255.255.255.0

ip access-group 100 out

duplex auto

speed auto

access-list 100 permit icmp any any

access-list 100 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.204 eq www

access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established

My objective is to allow 192.168.4.0/24 subnet to be able to access 192.168.1.204/24 on port 80 only. However with my acl implemented as shown i could access 192.168.1.204/24 even through rdp. But the ACLs manage to prevent access to other workstations on 192.168.1.0/24. Can anyone advise me what is wrong with my acl?

Another query is the command "access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established". I believe this command is to allow incoming packets only after any station on 192.168.4.0/24 subnet has initiated the connection. Hence i feel this acl should be place in fa0/1 incoming traffic instead of outgoing traffic. Hence it should be "access-list 110 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" with "ip access-group 110 in". However when i try to place that acl on incoming traffic, no traffic could pass through. Pls advise.

3 Replies 3

whisperwind
Level 1
Level 1

Apply the ACL inbound

Hi whisperwind,

I manage to solve the prob by using the below acl that is still applied to my outbound packet. Now my 192.168.4.0 network can only access 192.168.1.204 on port 80 and nothing else.

access-list 100 permit tcp host 192.168.1.204 eq 80 192.168.4.0 0.0.0.255 established

The difference is by specifying port 80 for 192.168.1.204. I understand that this acl with the established command should be applied for inbound packet. But when i applied it to inbound, all the routing in my cisco1841 fail to function even though i included only 1 line eg "access-list 100 permit tcp host 192.168.1.204 192.168.4.0 0.0.0.255 established" and applied this 1 line acl to my inbound packet for fa0/1. Why is this so? Thks in advance.

wenbin

You also posted this question on the LAN Switching and Routing forum where I have posted an answer which explains the issue with the access list and the placement of the access list. Please look to that forum for the answer.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card