Access list on 805 not working properly ??

nadeep-desilva · ‎04-15-2002

Router 805 (One LAN one WAN)

I have created an access list as below:

access-list 110 permit tcp any host 203.94.69.220 eq 80

access-list 110 permit tcp any host 203.94.69.220 eq 443

access-list 110 deny ip any host 203.94.69.220

access-list 110 permit ip any any

I have put this on "S0 in". My aim is to allow 203.94.69.220 only Internet browsing. (Note DNS local) However this does not work and further more if

I remove port 80 (e.g. access-list 110 permit tcp any host 203.94.69.220 )it works and this implies that not only port 80 is used?

one more question. I have noticed that this access list enforced on "S0 in", affects traffic which is on E0 ( I have two differnt IP subnets routered through E0) which should not happen!?. Note. I have NAT on these interfaces, can this be the reason?

Please help

Thank you.

Regards,

Nadeep

ruwhite · ‎04-17-2002

The most likely reason for your first problem is that you are filtering on the www destination port against the source machine. You need to set up the access list so the destination port is filtered:

access-list 110 permit tcp any eq 80 host 203.94.69.220

The second problem I couldn't comment on without more information.

Russ

nadeep-desilva · ‎04-17-2002

Ruus, Thank you for the reply. Yes this is a solution.

I used a packet analyser to check whats happening. Browser "talks" to the server's port 80 usings ports like 20xx (random I guess). Therefore the incoming packets are addressed to this port (20xx) and only when port 80 is allowed no browsing!