Stupid Cisco ACL question
up at 3.am
up at 3.am
Thu Apr 21 19:42:51 UTC 2011
Thanks everyone, of course this is what I wanted. Like I said, a stupid
ACL question...I'm blaming heavy medication, sorry for the noise!
> On Thu, 21 Apr 2011, up at 3.am wrote:
>> permit tcp any eq 443 any
>> permit tcp any eq 80 any
>> deny ip any host 2.2.3.4
>> permit ip any any
>>
>> This is applied to an inbound interface(s). We want anybody outside to
>> be
>> able to reach ports 80 and 443 of any host on our network, no matter
>> what,
>> then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
>> However, as soon as I apply this rule to the interface, ports 80 and 443
>> of that host become unreachable. A telnet to 2.2.3.4 443 gets
>> "Connection
>> refused" until I tear out the deny ACL above. I even tried adding udp
>> for
>> both ports, to no avail.
>
> Your ACL is apply the 80 & 443 as source ports, not destination ports.
>
> You probably want:
> permit tcp any any eq 443
> permit tcp any any eq 80
> deny ip any host 2.2.3.4
> permit ip any any
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
>
More information about the NANOG
mailing list