Re: SIMPLE ACCESS LIST

cigalahgroup · ‎10-07-2019

Hello,

I have 887 router , which is attached to a server with ip address 192.168.0.10 and the routers VLAN1 is 192.168.0.1

I would like to block all internet traffic on the server except port 80 and 443. I did the following below

ip access-list extended 101

permit tcp any host 192.168.0.10 eq 80

permit tcp any host 192.168.0.10 eq 443

deny ip any host 192.168.0.10

and on the interface vlan1

ip access-group 101 in

Seb Rupik · ‎10-07-2019

Hi there,

The ACL you have created should be applied OUTbound on the VLAN1 SVI.

cheers,

Seb.

cigalahgroup · ‎10-07-2019

you mean to say

interface vlan1

ip access-group 101 out

Seb Rupik · ‎10-07-2019

Yes. If outbound access-groups are supported.

If not, try @luis_cordova implementation. Keep in mind that doing it this way would permit devices to still send traffic to the server, it would only be able to reply on TCP/80 and TCP/443

cheers,

Seb.

luis_cordova · ‎10-07-2019

Hi @cigalahgroup

Try this:

ip access-list extended 101

permit tcp host 192.168.0.10 any eq 80

permit tcp host 192.168.0.10 any eq 443

deny ip any any

int vlan 1

ip access-group 101 in

Regards

paul driver · ‎10-07-2019

Hello

@cigalahgroup wrote:

Hello,

I have 887 router , which is attached to a server with ip address 192.168.0.10 and the routers VLAN1 is 192.168.0.1

I would like to block all internet traffic on the server except port 80 and 443. I did the following below

ip access-list extended 101
permit tcp any host 192.168.0.10 eq 80
permit tcp any host 192.168.0.10 eq 443
deny ip any host 192.168.0.10
permit ip any any

interface vlan1
ip access-group 101 OUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cigalahgroup · ‎10-07-2019

I only want to access internet with port 80 and 443 and all other ports should be blocked

paul driver · ‎10-07-2019

Hello

@cigalahgroup wrote:

I would like to block all internet traffic on the server except port 80 and 443. I did the following

So if this isn’t correct do you wish all hosts jn vlan 1 to be denied internet access other than this server and that’s only allowed for http- https

So you have any other vlans - plus the fact that vlan 1 is a private subnet I assume the rtr is performing Nat?

Post the config of the rtr so we can obtain a clearer understanding of the rtr setup

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cigalahgroup · ‎10-08-2019

Here is the config

!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname woo
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$DTRE$zvzwB3cIB0/1L/
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FCZ2244116S
!
!
username cisco
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300

ip access-group 101 OUT
!
interface Dialer0
bandwidth 1024
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname 471@1024.verizon.com
ppp chap password 0 ***
ppp pap sent-username 471@1024.verizon.com
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static 192.168.0.10 8.9.10.11
ip route 0.0.0.0 0.0.0.0 Dialer0
!
p access-list extended 101
permit tcp any host 192.168.0.10 eq 80
permit tcp any host 192.168.0.10 eq 443
deny ip any host 192.168.0.10
!
snmp-server community public RO
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 13061E010803
login
length 0
transport input all
transport output none
line vty 5 15
login
transport input none
!
scheduler allocate 20000 1000
!
end

paul driver · ‎10-08-2019

Hello

do you wish all hosts jn vlan 1 to be denied internet access other than this server and that’s only allowed for http- https?

Can you confirm what exactly you wish to happen?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cigalahgroup · ‎10-08-2019

Simply I want to give internet access to only one computer 192.168.0.X and only from outside all the ports should be blocked but from inside I should be able to browse internet

paul driver · ‎10-08-2019

Hello

@cigalahgroup wrote:

Simply I want to give internet access to only one computer 192.168.0.X and only from outside all the ports should be blocked but from inside I should be able to browse internet

So then you really don’t need a acl for that you just have to amend your static nat statement

ip nat inside source static tcp 192.168.0.10 80 8.9.10.11 80 extendable

ip nat inside source static tcp 192.168.0.10 443 8.9.10.11 443 extendable

no ip access-list extended 101

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎10-07-2019

BTW, remember every ACL ends with an implicit deny all, so your last ACE is redundant.

Besides revisions/corrections suggested by other posters, you're blocking more than just Internet traffic.

Deepak Kumar · ‎10-08-2019

Hi,

After reading complete statements, I got that you want that Services hosted on Port 80 and Port 443 on the server must be accessible from the Internet (WAN) and the server can still access the internet as an end-user.

As @paul driver mentioned that you have to configure two NAT statement for make port forwarding from WAN to LAN (Server):

ip nat inside source static tcp 192.168.0.10 80 8.9.10.11 80 extendable

ip nat inside source static tcp 192.168.0.10 443 8.9.10.11 443 extendable

This will be useful for you.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!