Re: access list deny https server

gamu · ‎08-07-2019

Hallo....everyone

i have tired to deny my lan pc to access https server in my network,i my case i want deny via vlan on my swit

ch that already config. here is my network topology

i waiting for any ans ware. many thanks

luis_cordova · ‎08-07-2019

Hi @gamu ,

The ACL must be configured on the router.

Can you share your router's current settings?

You could also share the ip parameters of your server.

Regards

gamu · ‎08-09-2019

Here's my network topology

router config:

ip access-list extended 101

deny tcp host 10.1.6.3 host 10.10.10.1 eq 443

20 permit ip any any

int gig1/0/0

ip access-group 101 in

i do that in my router,but when access from lan,https server still open. can hell me pls.

paul driver · ‎08-09-2019

Hello

Try and apply the acl as close to the source as possible in this case apply it o the svi of vlan 101 on the switch if that is performing the intervlan-routing

access-list 100 deny tcp host 10.1.6.4 host 10.10.10.1 eq 443
access-list 100 deny tcp host 10.1.6.4 host 10.10.10.1 eq 80
access-list 100 permt ip any any

int vlan 101
ip access-group 100 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gamu · ‎08-12-2019

Thanks paul driver.

i will try it,before i forget someting in my https server. in my case i have two ip address on my server

10.10.10.1 is a public ip and 192.168.10.10 i use local to access server.both two ip address i want deny it from my lan only via vlan,and other wise i want use that ip only on IT department.

i tired to config it.i need help

best regards

gamu.

luis_cordova · ‎08-10-2019

Hi @gamu ,

Try this:

router config:

ip access-list extended 101

deny tcp 10.1.6.0 0.0.0.255 host 10.10.10.1 eq 443

20 permit ip any any

Surely, it is that in the router you have subinterfaces for the vlan, so the acl must be applied in the subinterfaces(assuming that the g1/0/0 interface is the one that connects you to the switch and that the switch interface is in trunk mode):

int gig1/0/0.101

encapsulation dot1q 101 <— vlan number

ip access-group 101 in

Regards

paul driver · ‎08-10-2019

@luis_cordova

You acl will negate access to the whole 10.1.6.0/24 subnet for https not just a specific host

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

luis_cordova · ‎08-10-2019

Hi @paul driver ,

You are right, because that is what I understood to be sought.

But if you only want to deny access from a host by https, the initial ACL is ok:

ip access-list extended 101

deny tcp host 10.1.6.3 host 10.10.10.1 eq 443

20 permit ip any any

but it must be applied in the subinterface.

Regards

paul driver · ‎08-10-2019

@luis_cordova wrote:
but it must be applied in the subinterface.

Indeed that's if the router is performing the inter-vlan routing otherwise it would be the L3 switch

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gamu · ‎08-12-2019

Thanks luis cordova.

i will try it,before i forget someting in my https server. in my case i have two ip address on my server

10.10.10.1 is a public ip and 192.168.10.10 i use local to access server.both two ip address i want deny it from my lan only via vlan,and other wise i want use that ip only on IT department.

i tired to config it.i need help

best regards

gamu