CISCO 1841 ACCESS LIST

I HV CISCO 1841 ROUTER AND ALL CLIENT ACCESSING INTERNET USING ROUTER 192.168.1.1 AND NOW I WANT TO RESTRICT WWW PORT FOR SOME CLIENTS AND ONLY SMTP ACCESS TO ALL PC'S USING ACL. RUNNING CONFIG IS AS FOLLOWS AND ALSO ACCESS LIST I AM APPLYING AS BELOW BUT AS SOON AS I PUT ACCESS GROUP TO ANY E0/0 OR E0/1 ALL CLIENTS SMTP AND WWW PORTS BECOMES STOPPED.....PLS HELP ME TO SOLVE THE ISSUE....

sh run is.........
 
 

EMAMI_HALDIA#sh run
Building configuration...
 
Current configuration : 3648 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EMAMI_HALDIA
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 192.168.1.241 192.168.1.255
!
ip dhcp pool 192.168.1.0/24
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 203.124.20.100 203.124.16.100
!
!
ip domain name yourdomain.com
ip name-server 203.124.20.100
ip name-server 203.124.16.100
!
username cisco privilege 15 secret 5 $1$d3v5$fpiBkT01r9GsPWMy6Ue140
!
!
!
interface Tunnel499
 description ***** INTERNET TUNNEL *****
 ip address 3.3.5.78 255.255.255.252
 ip mtu 1524
 ip nat outside
 ip tcp adjust-mss 1400
 load-interval 30
 tunnel source 71.3.88.77
 tunnel destination 71.2.5.130
!
interface FastEthernet0/0
 description ***** Tulip Wan Link ****
 ip address 71.3.88.77 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description ***** Local Lan *****
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel499 name Internet
ip route 71.0.0.0 255.0.0.0 71.3.88.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool internet 203.124.21.208 203.124.21.208 netmask 255.255.255.0
ip nat inside source list 10 pool internet overload
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
 
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use
.
 
For more information about SDM please follow the instructions in the QUICK START
 
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
end
 
EMAMI_HALDIA#

 
I want to implemet access list as below :
 

deny tcp host 192.168.1.20 any eq 80
deny tcp host 192.168.1.12 any eq 80
deny tcp host 192.168.1.15 any eq 80
deny tcp host 192.168.1.16 any eq 80
deny tcp host 192.168.1.22 any eq 80
deny tcp host 192.168.1.27 any eq 80
deny tcp host 192.168.1.28 any eq 80
deny tcp host 192.168.1.29 any eq 80
deny tcp host 192.168.1.31 any eq 80
deny tcp host 192.168.1.33 any eq 80
deny tcp host 192.168.1.34 any eq 80
deny tcp host 192.168.1.35 any eq 80
deny tcp host 192.168.1.36 any eq 80
deny tcp host 192.168.1.26 any eq 80
deny tcp host 192.168.1.19 any eq 80
deny tcp host 192.168.1.38 any eq 80
deny tcp host 192.168.1.39 any eq 80
deny tcp host 192.168.1.37 any eq 80
deny tcp host 192.168.1.41 any eq 80
deny tcp host 192.168.1.42 any eq 80
deny tcp host 192.168.1.46 any eq 80
deny tcp host 192.168.1.47 any eq 80
deny tcp host 192.168.1.48 any eq 80
deny tcp host 192.168.1.151 any eq 80
permit tcp any any
Subhash1979Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bkepfordCommented:
change last line to
permit ip any any

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bkepfordCommented:
Oh and apply access-group inbound direction on internal interface
interface fastethernet 0/1
ip access-group 101 in
0
lrmooreCommented:
If you don't also deny https and 8080 then users will find anonymous proxies and go right around your acl.
What is it exactly that you want to restrict and how strict do you want to be?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Subhash1979Author Commented:
thnx a lot....my problem solved....i was facing problem due to only one line...that is last line...
0
bkepfordCommented:
Well only the bad employees :)
Good call lrmoore.
0
Subhash1979Author Commented:
hi irmoore.....I just want to stop internet browser and only outlook shud work on all pc's like this.....

pls provide more suggession if u have.....
0
lrmooreCommented:
You can permit the ones you want and deny all others, or deny each one individually, depending on how many there are.

Example to permit individually

access-list 101 permit ip host 192.168.1.11 any
access-list 101 permit ip host 192.168.1.13 any
access-list 101 permit ip host 192.168.1.14 any
access-list 101 permit ip host 192.168.1.17 any
<etc>
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 101 permit ip any any

Or deny individually.
access-list 101 deny tcp host 192.168.1.20 any eq 80
access-list 101 deny tcp host 192.168.1.22 any eq 80
access-list 101 deny tcp host 192.168.1.12 any eq 80
<etc>
access-list 101 permit ip any any

use whichever method creates the fewest lines of access-list
You realize that things like Windows updates might not work if you block browsing? How about Anti-virus updates?
Before you just start blocking people, be sure of the reasons why. Do you have an Internet Acceptable Use Policy that everyone has to read and understand? Does it spell out that a person may lose their web browsing "privilege" if they abuse it? Do you have anything in place that tells you that they do, in fact, abuse the privilege?
I mention that because what if something happens to you and your sudden replacement does not know that there are acls on the router and starts trying to troubleshoot why employeeX cannot get to the internet? He may spend hours of time trying to figure it out, not thinking to look at the acl on the router.




0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.