[139874] in North American Network Operators' Group
Re: Stupid Cisco ACL question
daemon@ATHENA.MIT.EDU (up@3.am)
Thu Apr 21 15:43:02 2011
In-Reply-To: <alpine.DEB.2.02.1104211417570.32670@seatpost.its.uiowa.edu>
Date: Thu, 21 Apr 2011 15:42:51 -0400
From: up@3.am
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks everyone, of course this is what I wanted. Like I said, a stupid
ACL question...I'm blaming heavy medication, sorry for the noise!
> On Thu, 21 Apr 2011, up@3.am wrote:
>> permit tcp any eq 443 any
>> permit tcp any eq 80 any
>> deny ip any host 2.2.3.4
>> permit ip any any
>>
>> This is applied to an inbound interface(s). We want anybody outside to
>> be
>> able to reach ports 80 and 443 of any host on our network, no matter
>> what,
>> then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
>> However, as soon as I apply this rule to the interface, ports 80 and 443
>> of that host become unreachable. A telnet to 2.2.3.4 443 gets
>> "Connection
>> refused" until I tear out the deny ACL above. I even tried adding udp
>> for
>> both ports, to no avail.
>
> Your ACL is apply the 80 & 443 as source ports, not destination ports.
>
> You probably want:
> permit tcp any any eq 443
> permit tcp any any eq 80
> deny ip any host 2.2.3.4
> permit ip any any
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
>
