Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1371
Views
0
Helpful
3
Replies

Realy totaly lost with a simple ACL...

Go to solution
twin-turbo
Level 1
Level 1

‎09-07-2012 06:31 AM - edited ‎02-21-2020 04:44 AM

I have a vlan interface who's clients should only be able to access our internal intranet server and the internal side of the proxy server on another vlan.

Clients are on Vlan460 ( 10.66.0.x )

Servers are on Vlan200 ( 10.32.0.x )

Intranet server is 10.32.0.160 (port 80)

Proxy is 10.32.0.136 (port 8080)

so I created.

=================================================

access-list 101 permit tcp 10.66.0.0 0.0.0.255 eq 8080 10.32.0.136
access-list 101 permit tcp 10.66.0.0 0.0.0.255 eq 80 10.32.0.160

interface vlan 460

     ip access-group 101 in

=================================================

I could not contact the web server or proxy.

I added

===============================================

access-list 101 permit tcp host 10.32.0.136 10.66.0.0 established

access-list 101 permit tcp host 10.32.0.160 10.66.0.0 established

===============================================

Now i could access the webserver but also get ssh?

I have tried all sorts of combinantins and now at a total loss and just going round in circles.

Can anybody guide me in my first real foray into ACLS as I have been trying with this for 4hrs and despite following a number of exampls keep either getting blocked or free access.

Cheers

Rob

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-07-2012 07:13 PM

The access-list should be as follows:

access-list 101 permit tcp 10.66.0.0 0.0.0.255 host 10.32.0.136 eq 8080

access-list 101 permit tcp 10.66.0.0 0.0.0.255 host 10.32.0.160 eq 80

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-07-2012 07:13 PM

The access-list should be as follows:

access-list 101 permit tcp 10.66.0.0 0.0.0.255 host 10.32.0.136 eq 8080

access-list 101 permit tcp 10.66.0.0 0.0.0.255 host 10.32.0.160 eq 80

Hope that helps.

0 Helpful

Go to solution
twin-turbo
Level 1
Level 1
In response to Jennifer Halim

‎09-13-2012 06:08 AM

Thanks Jennifer,

With your help I determined

access-list 101 permit tcp 10.66.0.0 0.0.0.255 host 10.32.0.136 eq 8080

access-list 101 permit tcp 10.66.0.0 0.0.0.255 host 10.32.0.160 eq www

access-list 101 permit udp any any eq domain

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any any eq domain

access-list 101 permit tcp any eq domain any

access-list 101 permit udp any any eq bootpc

access-list 101 permit udp any eq bootpc any

and on the vlan

ip access-group 101 in

Seems to be working nicely.

Cheers

Rob

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to twin-turbo

‎09-14-2012 01:44 AM

Excellent.. and thanks for the update.

Pls kindly mark the post answered so others can learn from your post. Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card