Stupid Cisco ACL question
up at 3.am
up at 3.am
Thu Apr 21 14:42:51 CDT 2011
Thanks everyone, of course this is what I wanted. Like I said, a stupid
ACL question...I'm blaming heavy medication, sorry for the noise!
> On Thu, 21 Apr 2011, up at 3.am wrote:
>> permit tcp any eq 443 any
>> permit tcp any eq 80 any
>> deny ip any host 188.8.131.52
>> permit ip any any
>> This is applied to an inbound interface(s). We want anybody outside to
>> able to reach ports 80 and 443 of any host on our network, no matter
>> then block ALL other access to select hosts, such as 184.108.40.206, even ICMP.
>> However, as soon as I apply this rule to the interface, ports 80 and 443
>> of that host become unreachable. A telnet to 220.127.116.11 443 gets
>> refused" until I tear out the deny ACL above. I even tried adding udp
>> both ports, to no avail.
> Your ACL is apply the 80 & 443 as source ports, not destination ports.
> You probably want:
> permit tcp any any eq 443
> permit tcp any any eq 80
> deny ip any host 18.104.22.168
> permit ip any any
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
More information about the NANOG