Re: ACL to permit http and deny all other internet services

MikeVan90 · ‎02-19-2020

Hello everyone, I am new to the concept of networks and I am doing some practice with assignements using the Cisco Packet Tracer. I have a network with a PC connected to a router. This router is connected to another router and the second router connected to a server.

I must create an extended ACL to the interface between the PC and the first router to permit access from the PC only to the http service of the server and deny access to any other internet service. Looking at the tab 'Services' of the server in Cisco Packet Tracer I see the following: HTTP, DHCP, DHCPv6, TFTP, DNS, SYSLOG, AAA, NTP, EMAIL, FTP.

So I am thinking I should find the ports of all the above services, deny all of them using the appropriate port numbers except port 80 (which is for http) and then permit ip (+IP and MASK of the PC) any. Is this the right way?

balaji.bandi · ‎02-20-2020

here is the example for you to create one ACL - i have not provided any syntax here, so by looking at the document, you learn better here.

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎02-20-2020

I have a couple of comments about this discussion.

- Certainly the approach of identify the services that should not work, deny those explicit services, permit everything else is one way to approach this.

- I wonder about this aspect of the task "deny access to any other internet service". That is pretty broad and I wonder if there are things that might be accessed in the Internet that might be construed as services that are not in the list of services in that tab. Would it be safer to approach the task this way:

= permit the PC address to anywhere on tcp port 80

= perhaps permit the PC to access other local resources

= deny traffic from that PC to anywhere

= permit all other traffic

HTH

Rick