05-18-2012 04:33 PM - edited 03-04-2019 04:24 PM
Hello, I am trying to write an ACL to do the following:
- permit HTTP access to the web server 10.20.0.2/8
- deny all other access to the web server
- permit traffic to all other destinations
My attempt is:
permit tcp any 10.20.0.2 0.255.255.255 eq 80
deny ip any 10.20.0.2 0.255.255.255
permit ip any any
However I can still ping the web server at 10.20.0.2 so I have obviously not got the ACL right.
Can someone please advise how I should have written my ACL ?
Thanks for any help.
05-18-2012 04:41 PM
Dave,
Your acl would look like this:
permit tcp any host 10.20.0.2 eq 80
deny ip any host 10.20.0.2
permit ip any any
HTH,
John
05-19-2012 12:52 PM
Dave
John has correctly identified an inconsistency in the mask used in your access list. But I believe that there may be more to the problem than the issue with the mask. If the access list in your original post were correctly applied on an IOS router then it looks to me like access for any non TCP traffic to network 10 would have been denied. So I believe that we need some additional information:
- what platform is this access list on? masking is quite different between IOS devices and the ASA for example. So what platform are we dealing with?
- How is the access list applied? If the access list is not applied at all, or is not applied to the correct interface, or is not applied in the correct direction then that would explain why you were able to ping the server.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide