?
Solved

ACL to allow only web

Posted on 2003-03-18
11
Medium Priority
?
358 Views
Last Modified: 2010-04-17
Hi

 Can someone suggest the solution

i have configured an accesslist to allow particular subnet to have an access to web & mail server .
The configuration is as follows

Access-list 101 permit tcp <network id> <mask> eq www
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq SMTP
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq pop3
Access-list 101 permit ip any any

On the interface

ip access-group 101 in
ip access-group 101 out.

By default,it has to deny all the traffic other than whichever is permitted in the ACL.But it's allowing all the traffic .ACL is not working.









0
Comment
Question by:veera2477
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 

Accepted Solution

by:
tofistof earned 100 total points
ID: 8157753
Hi,
I think your problem is at the end of the definition of the Acl, you permit all traffic, so the acl don't apply what you enter first.

This can be good:

Access-list 101 permit tcp <network id> <mask> eq www
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq SMTP
Access-list 101 permit tcp <network id> <mask> host <mail server ip> eq pop3
Access-list 101 deny ip any any


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8158926
tofistof is correct, you need to change the last line to a deny instead of a permit, but then you will break everything anyway.

Which interface is this assigned to? We don't generally see both in and out because the request going out won't won't have the same destination ports coming back in.
Also, with your extended acl number, you also need a destination (host or network) for the first line.

0
 
LVL 11

Assisted Solution

by:geoffryn
geoffryn earned 100 total points
ID: 8161934
You also need an entry to allow DNS requests or browsing will fail.

Access-list 101 permit tcp <network id> <mask> gt 1023  any eq www

Access-list 101 permit udp <network id> <mask> any eq 53

Access-list 101 permit tcp <network id> <mask> any eq 53


0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 

Author Comment

by:veera2477
ID: 8163605
Hi Irmoore

I have configured ACL on my ethernet interface,main objective is to block access for one department.

if i deny ip any any ,then all the ip traffic 'll be blocked.
Then is it necessary to configure the following lines to have an access to Mail server

Access-list 101 permit ip <network id> <mask> host <mail server ip> eq SMTP

Access-list 101 permit ip <network id> <mask> host <mail server ip> eq SMTP

or 'll it work w/o configuring the above lines.

I am little confused with TCP traffic & ip traffic ,can you pls explain .
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 8164134
0
 

Author Comment

by:veera2477
ID: 8178320
Hi irmoore

 Thanks for your references.

I'll configure the ACL & update you .

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8233788
Any updates for us yet?
0
 

Author Comment

by:veera2477
ID: 8240347
Hi All

 I configured by allowing only few ip address & denied all other.

with the following accesslists, it works fine.

 Access-list 101 permit tcp <network id> <mask> gt 1023  any eq www

Access-list 101 permit udp <network id> <mask> any eq 53

Access-list 101 permit tcp <network id> <mask> any eq 53

Thanks for all your help.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8442646
You can use the instructions here to close out this Question:

http://www.apollois.com/EE/Help/Closing_Questions.htm


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8725642
veera2477,
No comment has been added lately (44 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: split points between tofistof, lrmoore@nw, geoffryn

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question