Re: Allowing port 80 through

Mike Buyarski · ‎07-23-2021

I am trying to allow port 80 through an this ACL so we can manage the web interfaces of the printers that will be on this vlan

the acl is applied to the vlan as "in" device is WS-C3650-24PD version 16.3.6

this is what i have right now

10 permit tcp any host "DNS server1" eq domain
20 permit udp any host DNS server1" eq domain
30 permit tcp any host "DNS server2" eq domain
40 permit udp any host "DNS server2" eq domain
41 permit tcp any host "Print Server" eq 9100
42 permit udp any host "Print Server" eq 9100
43 permit tcp host "Print Server" any eq 9100
44 permit udp host "Print Server" any eq 9100
50 permit tcp any host "WMS server2" eq 13500
51 permit tcp any host ""WMS server2" eq 13502
52 permit tcp any host "WMS server1" eq 13500
53 permit tcp any host "WMS server1" eq 13503
60 deny ip any "network 1" (5871 matches)
70 deny ip any "network 2"
80 deny ip any "network 3"
90 deny ip any "network 4"
100 permit ip any any

any device that is on this vlan that needs to get to the WMS server 1 or 2 via those ports does work. and the domain lookup does work as well. all i really need to add a line(s) that allow port 80 from any where to any address on the vlan.

balaji.bandi · ‎07-23-2021

If you looking controlled ACL, below line not make any sense "100 permit ip any any"

You can add line numnber 10 to 60 between any number should work your requirement as example :

54 permit tcp any host "WMS server1" eq 80

You looking to any IP address then add below line

55 permit tcp any any eq 80

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike Buyarski · ‎07-23-2021

I have already tried the line "55 permit tcp any any eq 80" and it does not work.

we are trying to access the web interface of a printer. Since we are going to have a lot of printers it will be any IP on that subnet and any computer on another subnet we will need access to the web interface.

Mike Buyarski · ‎07-23-2021

I should specify some, If i and the vlan that the printers (vlan 102) are on i can access websites on port 80, however if i am on one of the pc's that is not on that vlan i can't access any website on port 80 on vlan 102

balaji.bandi · ‎07-23-2021

This is required more information, post full configuration - on what VLAN is this ACL applied. which VLAN has printers and what IP address they are ?

are they connected to this switch or any other switch ? is the only switch you have in the network?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike Buyarski · ‎07-26-2021

I think I figured it out.

by adding the line "55 permit tcp "subnet of vlan 102" eq 80 "subnet of the vlan my pc is on"" appears to work. i can access the web interface of the printer on my PC, however, when i go on a different computer on a different vlan it still does not work.

we have a layer 3 core switch controlling the access. there are a number of different switches these printers or connected to. all printers are wifi printers. meraki and unbiquiti access points.

If you are wondering this vlan was for wifi barcode scanners and wifi label printers.

balaji.bandi · ‎07-26-2021

Glad you able to sort the issue, since we not have any visibility of your network, so we asked to provide more information, Cheers for the feedback and working solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎07-30-2021

Hello

The svi logic for access-list

IN = originating from within vlan

OUT -= originating from outside vlan

Sounds like you have routed access-list on more than SVI ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul