cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4359
Views
10
Helpful
9
Replies

access list deny https server

gamu
Level 1
Level 1

Hallo....everyone 

i have tired to deny my lan pc to access https server in my network,i my case i want deny via vlan on my swit

ch that already config. here is my network topology

i waiting for any ans ware. many thanks

 

 

9 Replies 9

luis_cordova
VIP Alumni
VIP Alumni

Hi @gamu ,

 

The ACL must be configured on the router.

Can you share your router's current settings?

You could also share the ip parameters of your server.

 

Regards

 

acl.PNG

Here's my network topology

router config:

ip access-list extended 101

deny tcp host 10.1.6.3 host 10.10.10.1 eq 443

20 permit ip any any

int gig1/0/0

ip access-group 101 in

 

i do that in my router,but when access from lan,https server still open. can hell me pls.

 

 

Hello

Try and apply the acl as close to the source as possible in this case apply it o  the svi of vlan 101 on the switch if that is performing the intervlan-routing

 

access-list 100 deny tcp host 10.1.6.4 host 10.10.10.1 eq 443
access-list 100 deny tcp host 10.1.6.4 host 10.10.10.1 eq 80
access-list 100 permt ip any any

 

int vlan 101
ip access-group 100 in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks paul driver.

 

i will try it,before i forget someting in my https server. in my case i have two ip address on my server

10.10.10.1 is a public ip and 192.168.10.10 i use local to access server.both two ip address i want deny it from my lan only via vlan,and other wise i want  use that ip only on IT department.

 

i tired to config it.i need help

 

best regards

gamu.

 

 

 

Hi @gamu ,

 

Try this:

router config:

ip access-list extended 101

deny tcp 10.1.6.0 0.0.0.255 host 10.10.10.1 eq 443

20 permit ip any any

 

Surely, it is that in the router you have subinterfaces for the vlan, so the acl must be applied in the subinterfaces(assuming that the g1/0/0 interface is the one that connects you to the switch and that the switch interface is in trunk mode):

int gig1/0/0.101

encapsulation dot1q 101 <— vlan number 

ip access-group 101 in

 

Regards

 

 

@luis_cordova 

You acl will negate access to the whole 10.1.6.0/24 subnet for https not just a specific host 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi @paul driver ,

 

You are right, because that is what I understood to be sought.

But if you only want to deny access from a host by https, the initial ACL is ok:

 

ip access-list extended 101

deny tcp host 10.1.6.3 host 10.10.10.1 eq 443

20 permit ip any any

 

but it must be applied in the subinterface.

 

Regards


@luis_cordova wrote:

but it must be applied in the subinterface.


Indeed that's if the router is performing the inter-vlan routing otherwise it would be the L3 switch


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks luis cordova.

 

i will try it,before i forget someting in my https server. in my case i have two ip address on my server

10.10.10.1 is a public ip and 192.168.10.10 i use local to access server.both two ip address i want deny it from my lan only via vlan,and other wise i want  use that ip only on IT department.

 

i tired to config it.i need help

 

best regards

gamu

Review Cisco Networking for a $25 gift card