Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
4
Replies

access-list question

roberts_g
Level 1
Level 1

‎05-27-2004 11:10 AM - edited ‎03-02-2019 03:59 PM

I want to make a access-list to allow users to use the web and e-mail (hosted outside the office) only.

Users don't need anything else other than the web and e-mail at the moment.

New to access-list can you restrict that traffic that way?

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎05-27-2004 11:25 AM

You certainly can create an access list that would permit nothing but web and email to be forwarded outside by using an IP extended access list.

for example access-list 101 permit tcp any any eq 80 would permit HTTP web traffic.

But I suggest that you should think carefully before you do this. How will you use DNS, for example, if the only thing allowed out is web and email. You want to be very careful that you do not implement an overly restrictive policy.

HTH

Rick
0 Helpful

roberts_g
Level 1
Level 1
In response to Richard Burts

‎05-27-2004 11:56 AM

it isn't a very complex network. I only have one router with a serial and ethernet port. Which is then connected to the lan. My users don't need to do much other than get out to the internet and get e-mail. I don't want them really to do anything else. I may have other dedicated machines that can do more but the typical user I don't want to do much more than that. Then at the firewall I figured I could get more restrictive with what they can actually view on the net etc.

Kind of new to this, just trying to play around with the access-lists to figure out the best way to restrict traffic.

Any best practice ideas. Again it is a very small network, one router and a couple of servers. Servers are mainly internal file and print, no web server or e-mail server all that is hosted by an ISP 3rd party.

0 Helpful

Georg Pauwen
VIP
VIP

‎05-27-2004 11:36 AM

Hello,

the access list would look like this:

interface FastEthernet0/0

ip access-group 101 in

!

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq smtp

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq pop3

Obviously, your network might use another address space than 192.168.1.0/24, so you would need to change that accordingly.

HTH,

Georg

0 Helpful

vishwesh
Level 1
Level 1

‎05-27-2004 12:26 PM

Hi,

Firstly ,internet link need to be treminated on your router.After that following acces list will help you to resolve your problem.

access-list < nos> permit tcp any any eq http

access-list < nos> permit tcp any any eq pop3

access-list < nos> permit tcp any any eq smtp

Later,you have to apply this on the interface either serial or ethernet.If you are chossing to apply on fastethernet then you need to add following default route.

ip route 0.0.0.0 0.0.0.0

So whaterver traffic come will forward to serial interface, which is nothing but your internet link which is terminated.

Lastly, you have to configure for name server , where your name to IP traslation will happen.The IP

address will be provided by your service privoder.

Configuration command:

ip name-server < IP Address >

With this you should be able to allow users to browse and check mails.

Regards,

vishwesh

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card