• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

ACL to allow only web

Hi

 Can someone suggest the solution

i have configured an accesslist to allow particular subnet to have an access to web & mail server .
The configuration is as follows

Access-list 101 permit tcp <network id> <mask> eq www
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq SMTP
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq pop3
Access-list 101 permit ip any any

On the interface

ip access-group 101 in
ip access-group 101 out.

By default,it has to deny all the traffic other than whichever is permitted in the ACL.But it's allowing all the traffic .ACL is not working.









0
veera2477
Asked:
veera2477
3 Solutions
 
tofistofCommented:
Hi,
I think your problem is at the end of the definition of the Acl, you permit all traffic, so the acl don't apply what you enter first.

This can be good:

Access-list 101 permit tcp <network id> <mask> eq www
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq SMTP
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq pop3
Access-list 101 deny ip any any


0
 
lrmooreCommented:
tofistof is correct, you need to change the last line to a deny instead of a permit, but then you will break everything anyway.

Which interface is this assigned to? We don't generally see both in and out because the request going out won't won't have the same destination ports coming back in.
Also, with your extended acl number, you also need a destination (host or network) for the first line.

0
 
geoffrynCommented:
You also need an entry to allow DNS requests or browsing will fail.

Access-list 101 permit tcp <network id> <mask> gt 1023  any eq www

Access-list 101 permit udp <network id> <mask> any eq 53

Access-list 101 permit tcp <network id> <mask> any eq 53


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
veera2477Author Commented:
Hi Irmoore

I have configured ACL on my ethernet interface,main objective is to block access for one department.

if i deny ip any any ,then all the ip traffic 'll be blocked.
Then is it necessary to configure the following lines to have an access to Mail server

Access-list 101 permit ip <network id> <mask> host <mail server ip> eq SMTP

Access-list 101 permit ip <network id> <mask> host <mail server ip> eq SMTP

or 'll it work w/o configuring the above lines.

I am little confused with TCP traffic & ip traffic ,can you pls explain .
0
 
lrmooreCommented:
0
 
veera2477Author Commented:
Hi irmoore

 Thanks for your references.

I'll configure the ACL & update you .

0
 
lrmooreCommented:
Any updates for us yet?
0
 
veera2477Author Commented:
Hi All

 I configured by allowing only few ip address & denied all other.

with the following accesslists, it works fine.

 Access-list 101 permit tcp <network id> <mask> gt 1023  any eq www

Access-list 101 permit udp <network id> <mask> any eq 53

Access-list 101 permit tcp <network id> <mask> any eq 53

Thanks for all your help.

0
 
lrmooreCommented:
You can use the instructions here to close out this Question:

http://www.apollois.com/EE/Help/Closing_Questions.htm


0
 
lrmooreCommented:
veera2477,
No comment has been added lately (44 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: split points between tofistof, lrmoore@nw, geoffryn

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now