Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4363
Views
0
Helpful
4
Replies

Cisco Router - How to test/confirm after configuring to acl to permit only port 80 traffic inbound

MjLuitel
Level 1
Level 1

‎10-16-2017 11:18 PM - edited ‎03-05-2019 09:18 AM

I have configured ACL in the router to permit only port 80 traffic inbound to the web server.

How do i test/confirm: the HTTP connectivity between the router and the web server?

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎10-17-2017 01:24 AM

Hi there,

If you want to test the ACL from inside you network, you could use a PC on another VLAN routed by the router and run an NMAP scan against the server. This should hopefully show that only port 80 is open.

 

If you want to test your ACL from an external location, you could use the following website:

https://www.yougetsignal.com/tools/open-ports/

 

cheers,

Seb.

0 Helpful

MjLuitel
Level 1
Level 1
In response to Seb Rupik

‎10-17-2017 01:50 AM

Thanks for the reply. Still i am not clear.
NMAP wont work in my router. Do i have install it??

My problem:
Internal host should be able to access web server via port 80 and 8080 only, other access is restricted.

This configuration is done on the router that is connected to the web server.
I am able to ping the router and the web server from internal hosts (hosts connected to the same router).

But how do i confirm (verify my solution):
1) the router is permitting only port 80 and port 8080 traffic from internal hosts.
2) the connectivity is working as well between the router and the web server using port 80 and 8080. something like ping with port (i know it doesn't work).


Thanks.
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to MjLuitel

‎10-17-2017 02:02 AM - edited ‎10-17-2017 05:20 AM

The NMAP suggestion was to install it on a PC in another subnet and run a scan against the server from there.

If you can't do that you could add the log statement to the implicit deny at the end of your ACL:

!
ip access-list ext 80-8080-TO-SERVER
  permit tcp any host x.x.x.x eq 80
  permit tcp any host x.x.x.x eq 8080
  deny tcp any any log
!
logging buffer info 
!

This will confirm that all traffic other that TCP/80 and TCP/8080 is being dropped.

 

cheers,

Seb.

 

 

0 Helpful

Julio E. Moisa
VIP
VIP

‎10-17-2017 05:10 AM - edited ‎10-17-2017 05:11 AM

Hi

If you enable the logs on the ACL it can display registers, also you can execute: show access-list <access-list name> and you will see the matches. 

Check this link:

https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card