Solved

ACL QUERY REGARDING - HTTP BROWSER/WEB SERVER

Posted on 2011-10-01
7
301 Views
Last Modified: 2012-05-12
Hi if I want to block 'Web access' via a 'browser' for 'All users' 'Except' for a specific user, I would do the following for example

Just for this scenario Ive missed out 'ip address etc for eg!!!

Router

Int fa0/0
ip access-group 101 in
no shut

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

obviously normally ' ip http server' is already by default on the router and if I wanted everyone connected 'NOT' to use the 'Web browser - http://x.x.x.x - I would add :  no ip http server

What I wish to know about is if I wish to block my 'Website' which happens to run on my actual company 'Server', which I think is then known as the 'Intranet', how would I block this or am I getting confused with the above example?
0
Comment
Question by:mikey250
  • 4
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
snickered earned 500 total points
ID: 36896273
'ip http server' runs an http server on the router itself.  It has nothing to do with your users being able to browse the internet.  If you wanted to allow a single host (192.168.1.10) and deny all others from browsing the network 10.0.0.0/24 then your ACLs would be like this:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

That is assuming 192.168.1.0/24 is on the fa0/0 interface. e.g. 192.168.1.0/24 -> ( fa0/0 ROUTER fa0/1 ) -> 10.0.0.0/24
0
 

Author Comment

by:mikey250
ID: 36896305
Hi snickered,  Yes that 'ACL' is identical to my main thread!!!

So if Ive got a website up and running on my actual server, although Ive configured a specific host to be 'permitted access' via www, how would I block access to the website specifically or Im assuming that I would not do it that way as I either block port 80/www, which has already been done or I just block access to the specific Server running the website?
0
 

Author Comment

by:mikey250
ID: 36896314
Obviously I cannot actually access a website via means of 'ACL's, as I would then have to use some 'VNC' software for example to allow this type of access onto the actual server itself!!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Assisted Solution

by:snickered
snickered earned 500 total points
ID: 36896580
You wrote:

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www

I wrote:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www

See the difference now?  

Let's say you have a network of 192.168.1.0/24 on the fa0/0 interface and another network of 10.0.0.0/24 on the fa0/1 interface.  If there was a web server located on the 10.0.0.0/24 network and wanted only the host of 192.168.1.10 to access tcp port 80 on the 10.0.0.0/24 network then you would do:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

Open in new window


And as you already know you would have to set an IP address on your fa0/0 interface.

0
 

Author Comment

by:mikey250
ID: 36896642
Hi Snickered,  Ive tested both and both work!! Yes Ip addresses would be added!!

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

or

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

Int fa0/0
ip access-group 101 in
no shut
0
 
LVL 6

Expert Comment

by:snickered
ID: 36896845
It works?  That's great!  Assign points if your question is answered.
0
 

Author Closing Comment

by:mikey250
ID: 36897026
Sound advice!!!!!!!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now