Re: Stupid Cisco ACL question

[up () 3 am]

Thanks everyone, of course this is what I wanted.  Like I said, a stupid
ACL question...I'm blaming heavy medication, sorry for the noise!


> On Thu, 21 Apr 2011, up () 3 am wrote:
> > permit tcp any eq 443 any
> > permit tcp any eq 80 any
> > deny ip any host 2.2.3.4
> > permit ip any any
> >
> > This is applied to an inbound interface(s).  We want anybody outside to
> > be
> > able to reach ports 80 and 443 of any host on our network, no matter
> > what,
> > then block ALL other access to select hosts, such as 2.2.3.4, even ICMP.
> > However, as soon as I apply this rule to the interface, ports 80 and 443
> > of that host become unreachable.  A telnet to 2.2.3.4 443 gets
> > "Connection
> > refused" until I tear out the deny ACL above.  I even tried adding udp
> > for
> > both ports, to no avail.
>
> Your ACL is apply the 80 & 443 as source ports, not destination ports.
>
> You probably want:
>     permit tcp any any eq 443
>     permit tcp any any eq 80
>     deny ip any host 2.2.3.4
>     permit ip any any
>
> ________________________________________________________________________
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-ford () uiowa edu, phone: 319-335-5555, fax: 319-335-2951