I would apply it to the vlan

smiths@prpa.org · ‎11-17-2016

I've been asked to fix and issue with how users access a device that is hanging off one of our 4510s.

Here's an example....

A phone system that has an IP address of 192.168.1.100 answers to a default port of 80. Its plugged into Gi 5/15. If a user enters that IP into their browser they get to the phone systems administration portal. Not good. Phone vendor says that's their default and it can't be changed.

Normal user traffic needs to go to port 10100, but the phone system has no method to change that.

So I need to create an ACL that redirects port 80 for that IP address to port 10100 while allowing an admin to enter http://192.168.1.100 to access the admin portal on the phone system.

How would I set up the ACL to do this?

Thanks,

Stew

Mark Malone · ‎11-17-2016

Hi

you could just block all local users from accessing that ip address but allow your own ip rather than trying to change ports ? , as example you would be 1.1.1.1 , you can talk to the 192.168.1.100 at port 80 but everyone else cant , the apply it to vlan interface in and out , ip access-group 180 in , ip access-group 180 out

ip access-list extended 180

permit tcp host 1.1.1.1 host 192.168.1.100 eq www

deny tcp any 192.168.1.100 0.0.0.0 eq www

permit tcp any any

smiths@prpa.org · ‎11-17-2016

Interesting solution - I would still need to apply the access list to the specific port correct?

Mark Malone · ‎11-17-2016

I would apply it to the vlan interface so it covers all users at layer 2 associated with that vlan cover everyone , as your allowing all other tcp traffic users should be able still able to use 10100 , they should only be blocked on port 80 , its just an example you may have to tweak it but it should work

Cisco 4510 Port Forward ACL?