10-16-2017 11:18 PM - edited 03-05-2019 09:18 AM
I have configured ACL in the router to permit only port 80 traffic inbound to the web server.
How do i test/confirm: the HTTP connectivity between the router and the web server?
10-17-2017 01:24 AM
Hi there,
If you want to test the ACL from inside you network, you could use a PC on another VLAN routed by the router and run an NMAP scan against the server. This should hopefully show that only port 80 is open.
If you want to test your ACL from an external location, you could use the following website:
https://www.yougetsignal.com/tools/open-ports/
cheers,
Seb.
10-17-2017 01:50 AM
10-17-2017 02:02 AM - edited 10-17-2017 05:20 AM
The NMAP suggestion was to install it on a PC in another subnet and run a scan against the server from there.
If you can't do that you could add the log statement to the implicit deny at the end of your ACL:
! ip access-list ext 80-8080-TO-SERVER permit tcp any host x.x.x.x eq 80 permit tcp any host x.x.x.x eq 8080 deny tcp any any log ! logging buffer info !
This will confirm that all traffic other that TCP/80 and TCP/8080 is being dropped.
cheers,
Seb.
10-17-2017 05:10 AM - edited 10-17-2017 05:11 AM
Hi
If you enable the logs on the ACL it can display registers, also you can execute: show access-list <access-list name> and you will see the matches.
Check this link:
https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html
Hope it is useful
:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide