Re: ACL

alaeldien · ‎02-01-2009

Hello

access-list 100 deny tcp any host 192.168.1.100 eq 80

*****

int fa 0/0 # ip access-group 100 out

is it the correct ACL to prevent the specified host from internet.

if not, could some one please correcting this.

thank you

Istvan_Rabai · ‎02-01-2009

Hi Ahmed,

This acl denies any outbound access to a web server under ip address 192.168.1.100.

To deny access of a specific host to any http service on the Internet:

access-list 100 deny tcp host 192.168.1.100 any eq 80

"int fa 0/0 # ip access-group 100 out"

This is OK if fa 0/0 is the Internet-facing interface.

Cheers:

Istvan

mszeftawy · ‎02-02-2009

Hi Ahmed

and also dont forget the permit any at the end of the ACL, as any access list has a deny any statment at the end.

so as below

access-list 100 deny tcp host 192.168.1.100 any eq 80

access-list 100 permit ip any any

Giuseppe Larosa · ‎02-02-2009

Hello Ala,

nice to hear from you

be aware that TCP port 80 stays on the server side.

if f0/0 is your internal lan

access-list 100 deny tcp host 192.168.1.100 any eq 80

access-list 100 permit ip any any

int f0/0

ip access-group 100 in

if f0/0 is the WAN port (to internet)

int f0/0

ip access-group 100 out

the well known port follow the server side and you need to permit something or the ACL will deny everything.

Hope to help

Giuseppe