Re: ACL help!

modelman100 · ‎07-03-2011

I need to do this in one ACL and need help :

1) Restrict access from network 10.0.0.1/24 to internet ban on port 80 but allow access to this server 172.16.3.1

2) Allow access to all ports on the 10.0.0.1/24 but deny access to 172.16.3.1

How can i do this ?

Marwan ALshawi · ‎07-03-2011

Hi

This is orrery simple if just provide some more details like a simple topology or

If u have router with two interfaces where is the 172 server located ! Toward the Internet interface ?

By the way if the server located to the inside of ur network you may need reflexive acl to get working as you want

See the bellow link of how to configure it

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl

So the idea is to deny traffic from inside sourced from network 10.0 but u have the reflexive acl to inspect/evaluate the traffic going from outside to network 10 to allow the returne

You need inbound and outbound acls

Sent from Cisco Technical Support iPhone App

Richard.H.Sims · ‎07-04-2011

Do you want 172.16.3.1 to access the internet at all?

From what I can work out you have one router with 3 ports. One going to 10.x, one going to 172.x and the other going onto the internet.

IF the 172.x server doesn't need to access the internet then the ACL is quite simple. If it does then it'll be a little more complicated.

icewolf101 · ‎07-04-2011

ip access-list 101 deny tcp 10.0.0.1 0.0.0.255 any eq www

ip access-list 101 permit ip any 10.0.0.1 0.0.0.255

ip access-list 101 permit tcp any 172.16.3.1 eq www

ip access-list 101 deny ip any 172.16.3.1

Then apply it to appropriate interface and direction

cadet alain · ‎07-04-2011

Hi Robert,

2) Allow access to all ports on the 10.0.0.1/24 but deny access to 172.16.3.1

You mean from internet?

Regards.

Alain.

Don't forget to rate helpful posts.