[139870] in North American Network Operators' Group
Re: Stupid Cisco ACL question
daemon@ATHENA.MIT.EDU (Jay Ford)
Thu Apr 21 15:23:58 2011
Date: Thu, 21 Apr 2011 14:20:09 -0500 (CDT)
From: Jay Ford <jay-ford@uiowa.edu>
To: up@3.am
In-Reply-To: <85917f6e53edcd7cb06c4f2b18770dbc.squirrel@ssl.pil.net>
Cc: nanog@nanog.org
Reply-To: Jay Ford <jay-ford@uiowa.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, 21 Apr 2011, up@3.am wrote:
> permit tcp any eq 443 any
> permit tcp any eq 80 any
> deny ip any host 2.2.3.4
> permit ip any any
>
> This is applied to an inbound interface(s). We want anybody outside to be
> able to reach ports 80 and 443 of any host on our network, no matter what,
> then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
> However, as soon as I apply this rule to the interface, ports 80 and 443
> of that host become unreachable. A telnet to 2.2.3.4 443 gets "Connection
> refused" until I tear out the deny ACL above. I even tried adding udp for
> both ports, to no avail.
Your ACL is apply the 80 & 443 as source ports, not destination ports.
You probably want:
permit tcp any any eq 443
permit tcp any any eq 80
deny ip any host 2.2.3.4
permit ip any any
________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
