Re: Access List (Extended)

GAB1 · ‎07-29-2019

Hello,

i want to create an access extended list in which it denies access from specify domains (all computers) to my web server. I have two web servers in my domain and i want to cut access in specify web server (for example WEBSERVER2).

I have created an access list (extended) but it didn't work.

My access list is :

access-list extended XXX

deny tcp A.A.A.0 0.0.0.255 host WEBSERVER2 eq www

deny tcp B.B.B.0 0.0.0.255 host WEBSERVER2 eq www

permit ip any any

Aftermath i applied it on my switch at specify interface (for example F0/1)

ip access-group XXX in

I have put "in" because at specify interface is the connection the other two domains to my domain.

Where is the fault?

Thanks in advance

balaji.bandi · ‎07-29-2019

deny tcp A.A.A.0 0.0.0.255 host WEBSERVER2 eq www <<- is this webserver 2 you mentioned IP or name ?

is the webserver 2 connected to Fas 0/1 ? can you post show run interface fast 0/1 to look config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GAB1 · ‎07-29-2019

Hello Sir and thank you for your interesting.
There i have written WEBSERVER2=*xxx.xxx.xxx.xx *(ip server)

*deny tcp A. A. A. 0 0.0.0.255 host xxx.xxx.xxx.xx eq www*

On the interface shows:

*ip access-group in*

On the specify interface fast ethernet 0/1 are connected the other domains
in which both of them i want to deny access to my Web server. (WEBSERVER2).
As i have mentioned before, i have two Web server. At my WEBSERVER1, I want
to have access all computers from all domain that connect on interface fast
ethernet 0/1.

I don't know if i help you but now i am out of my company in order to sent
you print screen from interface fast ethernet.

Thanks in advance again
Best regards

balaji.bandi · ‎07-29-2019

Like to see your Interface config, you mentioned 2 web server connected to same interface fas 0/1 ? (is this physical ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GAB1 · ‎07-29-2019

Good morning Sir,
There isn't physical connection to fe0/1 from my Web servers.
The domain A is connected to my domain through fa0/1.

balaji.bandi · ‎07-30-2019

As my understanding you have below is your network topo

user----domainA ----Fas 0/1 -----fa0/1----domain b ----users

is this case ? your ACL should work, hence it was not working, we need more information related to configuration to confirm what is wrong.

show version

show run interface fas 0/1

show access-list

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GAB1 · ‎07-30-2019

SwL3#show access
SwL3#show access-lists
Extended IP access list 125
10 deny tcp 10.101.102.0 0.0.0.255 host 192.200.200.10 eq www
20 deny tcp 10.102.102.0 0.0.0.255 host 192.200.200.10 eq www
30 deny tcp 10.103.102.0 0.0.0.255 host 192.200.200.10 eq www
40 deny tcp 10.104.102.0 0.0.0.255 host 192.200.200.10 eq www
50 permit ip any any
Extended IP access list NOACCESSWEBSERVER2
10 deny tcp 10.101.102.0 0.0.0.255 host 192.200.200.10 eq www
30 deny tcp 10.102.102.0 0.0.0.255 host 192.200.200.10 eq www
40 deny tcp 10.103.102.0 0.0.0.255 host 192.200.200.10 eq www
50 deny tcp 10.104.102.0 0.0.0.255 host 192.200.200.10 eq www
60 permit ip any any
SwL3#

balaji.bandi · ‎07-31-2019

we can only suggest when we enough information about the environment and config. please post below out put.

show version

show run interface fas 0/1

show access-list

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help