nanog mailing list archives
Re: Stupid Cisco ACL question
From: up () 3 am
Date: Thu, 21 Apr 2011 15:42:51 -0400
Thanks everyone, of course this is what I wanted. Like I said, a stupid ACL question...I'm blaming heavy medication, sorry for the noise!
On Thu, 21 Apr 2011, up () 3 am wrote:permit tcp any eq 443 any permit tcp any eq 80 any deny ip any host 2.2.3.4 permit ip any any This is applied to an inbound interface(s). We want anybody outside to be able to reach ports 80 and 443 of any host on our network, no matter what, then block ALL other access to select hosts, such as 2.2.3.4, even ICMP. However, as soon as I apply this rule to the interface, ports 80 and 443 of that host become unreachable. A telnet to 2.2.3.4 443 gets "Connection refused" until I tear out the deny ACL above. I even tried adding udp for both ports, to no avail.Your ACL is apply the 80 & 443 as source ports, not destination ports. You probably want: permit tcp any any eq 443 permit tcp any any eq 80 deny ip any host 2.2.3.4 permit ip any any ________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford () uiowa edu, phone: 319-335-5555, fax: 319-335-2951
Current thread:
- Stupid Cisco ACL question up (Apr 21)
- Re: Stupid Cisco ACL question Dorn Hetzel (Apr 21)
- Re: Stupid Cisco ACL question Jay Ford (Apr 21)
- Re: Stupid Cisco ACL question up (Apr 21)
- RE: Stupid Cisco ACL question Jeff Saxe (Apr 21)
- Re: Stupid Cisco ACL question William Herrin (Apr 21)