How to Block this using Extended ACL

veddotcom · ‎08-16-2012

Hi All, Here is the scenario which i am using

TASK: I want to block all the data stream destined to 10.10.10.2 which travel from port 80 of http server.

I am trying the Extended access list as follows

access-list 131 deny tcp host 10.10.10.1 eq www host 10.10.10.2

access-list 131 permit ip any any

ip access-group 131 out at FastEthernet interface of HTTP server router

However it is not working as expected, Everything works normal.Where i am wrong?

Ramraj Sivagnanam Sivajanam · ‎08-19-2012

Hi Bro

In R1, just do this if you're plannin to block the source from the LAN in R1 to 10.10.10.2, and all should be good.

!

access-list 100 deny tcp any host 10.10.10.2 eq 80

access-list 100 permit ip any any

!

interface FastEthernet 0/0

description ### WAN Link ###

ip address 10.10.10.1 255.255.255.252

!

interface FastEthernet 0/1

description ### LAN Link ###

ip access-group 100 in

!

However, if you're trying to block R1 (from R1 itself) in reaching R2 10.10.10.2 via TCP/80, then you'll need to use the MPF method shown below;

!

class-map CM_HTTP

match access-group 100

!

policy-map PM_HTTP

class CM_HTTP

drop

!

control-plane

service-policy output PM_HTTP

!

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam