10-07-2019 07:00 AM
Hello,
I have 887 router , which is attached to a server with ip address 192.168.0.10 and the routers VLAN1 is 192.168.0.1
I would like to block all internet traffic on the server except port 80 and 443. I did the following below
ip access-list extended 101
permit tcp any host 192.168.0.10 eq 80
permit tcp any host 192.168.0.10 eq 443
deny ip any host 192.168.0.10
and on the interface vlan1
ip access-group 101 in
10-07-2019 07:08 AM
Hi there,
The ACL you have created should be applied OUTbound on the VLAN1 SVI.
cheers,
Seb.
10-07-2019 07:11 AM
you mean to say
interface vlan1
ip access-group 101 out
10-07-2019 07:23 AM
Yes. If outbound access-groups are supported.
If not, try @luis_cordova implementation. Keep in mind that doing it this way would permit devices to still send traffic to the server, it would only be able to reply on TCP/80 and TCP/443
cheers,
Seb.
10-07-2019 07:19 AM
Try this:
ip access-list extended 101
permit tcp host 192.168.0.10 any eq 80
permit tcp host 192.168.0.10 any eq 443
deny ip any any
int vlan 1
ip access-group 101 in
Regards
10-07-2019 08:01 AM - edited 10-07-2019 08:14 AM
Hello
@cigalahgroup wrote:
Hello,
I have 887 router , which is attached to a server with ip address 192.168.0.10 and the routers VLAN1 is 192.168.0.1
I would like to block all internet traffic on the server except port 80 and 443. I did the following below
ip access-list extended 101
permit tcp any host 192.168.0.10 eq 80
permit tcp any host 192.168.0.10 eq 443
deny ip any host 192.168.0.10
permit ip any any
interface vlan1
ip access-group 101 OUT
10-07-2019 09:11 AM
I only want to access internet with port 80 and 443 and all other ports should be blocked
10-07-2019 09:26 AM - edited 10-08-2019 04:19 AM
Hello
@cigalahgroup wrote:
I would like to block all internet traffic on the server except port 80 and 443. I did the following
So if this isn’t correct do you wish all hosts jn vlan 1 to be denied internet access other than this server and that’s only allowed for http- https
So you have any other vlans - plus the fact that vlan 1 is a private subnet I assume the rtr is performing Nat?
Post the config of the rtr so we can obtain a clearer understanding of the rtr setup
10-08-2019 03:22 AM
Here is the config
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname woo
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$DTRE$zvzwB3cIB0/1L/
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FCZ2244116S
!
!
username cisco
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
ip access-group 101 OUT
!
interface Dialer0
bandwidth 1024
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname 471@1024.verizon.com
ppp chap password 0 ***
ppp pap sent-username 471@1024.verizon.com
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static 192.168.0.10 8.9.10.11
ip route 0.0.0.0 0.0.0.0 Dialer0
!
p access-list extended 101
permit tcp any host 192.168.0.10 eq 80
permit tcp any host 192.168.0.10 eq 443
deny ip any host 192.168.0.10
!
snmp-server community public RO
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 13061E010803
login
length 0
transport input all
transport output none
line vty 5 15
login
transport input none
!
scheduler allocate 20000 1000
!
end
10-08-2019 04:21 AM
Hello
do you wish all hosts jn vlan 1 to be denied internet access other than this server and that’s only allowed for http- https?
Can you confirm what exactly you wish to happen?
10-08-2019 04:54 AM
Simply I want to give internet access to only one computer 192.168.0.X and only from outside all the ports should be blocked but from inside I should be able to browse internet
10-08-2019 06:10 AM - edited 10-08-2019 06:13 AM
Hello
@cigalahgroup wrote:
Simply I want to give internet access to only one computer 192.168.0.X and only from outside all the ports should be blocked but from inside I should be able to browse internet
So then you really don’t need a acl for that you just have to amend your static nat statement
ip nat inside source static tcp 192.168.0.10 80 8.9.10.11 80 extendable
ip nat inside source static tcp 192.168.0.10 443 8.9.10.11 443 extendable
no ip access-list extended 101
10-07-2019 10:04 AM
10-08-2019 07:36 AM
Hi,
After reading complete statements, I got that you want that Services hosted on Port 80 and Port 443 on the server must be accessible from the Internet (WAN) and the server can still access the internet as an end-user.
As @paul driver mentioned that you have to configure two NAT statement for make port forwarding from WAN to LAN (Server):
ip nat inside source static tcp 192.168.0.10 80 8.9.10.11 80 extendable
ip nat inside source static tcp 192.168.0.10 443 8.9.10.11 443 extendable
This will be useful for you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide