Solved

ACL QUERY REGARDING - HTTP BROWSER/WEB SERVER

Posted on 2011-10-01
7
310 Views
Last Modified: 2012-05-12
Hi if I want to block 'Web access' via a 'browser' for 'All users' 'Except' for a specific user, I would do the following for example

Just for this scenario Ive missed out 'ip address etc for eg!!!

Router

Int fa0/0
ip access-group 101 in
no shut

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

obviously normally ' ip http server' is already by default on the router and if I wanted everyone connected 'NOT' to use the 'Web browser - http://x.x.x.x - I would add :  no ip http server

What I wish to know about is if I wish to block my 'Website' which happens to run on my actual company 'Server', which I think is then known as the 'Intranet', how would I block this or am I getting confused with the above example?
0
Comment
Question by:mikey250
  • 4
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
snickered earned 500 total points
ID: 36896273
'ip http server' runs an http server on the router itself.  It has nothing to do with your users being able to browse the internet.  If you wanted to allow a single host (192.168.1.10) and deny all others from browsing the network 10.0.0.0/24 then your ACLs would be like this:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

That is assuming 192.168.1.0/24 is on the fa0/0 interface. e.g. 192.168.1.0/24 -> ( fa0/0 ROUTER fa0/1 ) -> 10.0.0.0/24
0
 

Author Comment

by:mikey250
ID: 36896305
Hi snickered,  Yes that 'ACL' is identical to my main thread!!!

So if Ive got a website up and running on my actual server, although Ive configured a specific host to be 'permitted access' via www, how would I block access to the website specifically or Im assuming that I would not do it that way as I either block port 80/www, which has already been done or I just block access to the specific Server running the website?
0
 

Author Comment

by:mikey250
ID: 36896314
Obviously I cannot actually access a website via means of 'ACL's, as I would then have to use some 'VNC' software for example to allow this type of access onto the actual server itself!!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Assisted Solution

by:snickered
snickered earned 500 total points
ID: 36896580
You wrote:

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www

I wrote:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www

See the difference now?  

Let's say you have a network of 192.168.1.0/24 on the fa0/0 interface and another network of 10.0.0.0/24 on the fa0/1 interface.  If there was a web server located on the 10.0.0.0/24 network and wanted only the host of 192.168.1.10 to access tcp port 80 on the 10.0.0.0/24 network then you would do:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

Open in new window


And as you already know you would have to set an IP address on your fa0/0 interface.

0
 

Author Comment

by:mikey250
ID: 36896642
Hi Snickered,  Ive tested both and both work!! Yes Ip addresses would be added!!

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

or

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

Int fa0/0
ip access-group 101 in
no shut
0
 
LVL 6

Expert Comment

by:snickered
ID: 36896845
It works?  That's great!  Assign points if your question is answered.
0
 

Author Closing Comment

by:mikey250
ID: 36897026
Sound advice!!!!!!!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
parental control on huwei HG658b 1 29
Multiple MPLS Circuits Connecting to LAN 3 58
Cisco Switch VLAN voice and Data 2 45
Access-List 15 32
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question