02-19-2020 06:08 PM
Hello everyone, I am new to the concept of networks and I am doing some practice with assignements using the Cisco Packet Tracer. I have a network with a PC connected to a router. This router is connected to another router and the second router connected to a server.
I must create an extended ACL to the interface between the PC and the first router to permit access from the PC only to the http service of the server and deny access to any other internet service. Looking at the tab 'Services' of the server in Cisco Packet Tracer I see the following: HTTP, DHCP, DHCPv6, TFTP, DNS, SYSLOG, AAA, NTP, EMAIL, FTP.
So I am thinking I should find the ports of all the above services, deny all of them using the appropriate port numbers except port 80 (which is for http) and then permit ip (+IP and MASK of the PC) any. Is this the right way?
02-20-2020 07:41 AM
here is the example for you to create one ACL - i have not provided any syntax here, so by looking at the document, you learn better here.
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
02-20-2020 08:12 AM
I have a couple of comments about this discussion.
- Certainly the approach of identify the services that should not work, deny those explicit services, permit everything else is one way to approach this.
- I wonder about this aspect of the task "deny access to any other internet service". That is pretty broad and I wonder if there are things that might be accessed in the Internet that might be construed as services that are not in the list of services in that tab. Would it be safer to approach the task this way:
= permit the PC address to anywhere on tcp port 80
= perhaps permit the PC to access other local resources
= deny traffic from that PC to anywhere
= permit all other traffic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide