Stupid Cisco ACL question

up at 3.am up at 3.am
Thu Apr 21 19:42:51 UTC 2011


Thanks everyone, of course this is what I wanted.  Like I said, a stupid
ACL question...I'm blaming heavy medication, sorry for the noise!


> On Thu, 21 Apr 2011, up at 3.am wrote:
>> permit tcp any eq 443 any
>> permit tcp any eq 80 any
>> deny ip any host 2.2.3.4
>> permit ip any any
>>
>> This is applied to an inbound interface(s).  We want anybody outside to
>> be
>> able to reach ports 80 and 443 of any host on our network, no matter
>> what,
>> then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
>> However, as soon as I apply this rule to the interface, ports 80 and 443
>> of that host become unreachable.  A telnet to 2.2.3.4 443 gets
>> "Connection
>> refused" until I tear out the deny ACL above.  I even tried adding udp
>> for
>> both ports, to no avail.
>
> Your ACL is apply the 80 & 443 as source ports, not destination ports.
>
> You probably want:
>     permit tcp any any eq 443
>     permit tcp any any eq 80
>     deny ip any host 2.2.3.4
>     permit ip any any
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
>





More information about the NANOG mailing list