07-03-2011 01:20 PM - edited 03-04-2019 12:52 PM
I need to do this in one ACL and need help :
1) Restrict access from network 10.0.0.1/24 to internet ban on port 80 but allow access to this server 172.16.3.1
2) Allow access to all ports on the 10.0.0.1/24 but deny access to 172.16.3.1
How can i do this ?
07-03-2011 02:00 PM
Hi
This is orrery simple if just provide some more details like a simple topology or
If u have router with two interfaces where is the 172 server located ! Toward the Internet interface ?
By the way if the server located to the inside of ur network you may need reflexive acl to get working as you want
See the bellow link of how to configure it
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl
So the idea is to deny traffic from inside sourced from network 10.0 but u have the reflexive acl to inspect/evaluate the traffic going from outside to network 10 to allow the returne
You need inbound and outbound acls
Sent from Cisco Technical Support iPhone App
07-04-2011 03:00 AM
Do you want 172.16.3.1 to access the internet at all?
From what I can work out you have one router with 3 ports. One going to 10.x, one going to 172.x and the other going onto the internet.
IF the 172.x server doesn't need to access the internet then the ACL is quite simple. If it does then it'll be a little more complicated.
07-04-2011 03:17 AM
ip access-list 101 deny tcp 10.0.0.1 0.0.0.255 any eq www
ip access-list 101 permit ip any 10.0.0.1 0.0.0.255
ip access-list 101 permit tcp any 172.16.3.1 eq www
ip access-list 101 deny ip any 172.16.3.1
Then apply it to appropriate interface and direction
07-04-2011 03:31 AM
Hi Robert,
2) Allow access to all ports on the 10.0.0.1/24 but deny access to 172.16.3.1
You mean from internet?
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide