Solved

ACL QUERY REGARDING - HTTP BROWSER/WEB SERVER

Posted on 2011-10-01
7
309 Views
Last Modified: 2012-05-12
Hi if I want to block 'Web access' via a 'browser' for 'All users' 'Except' for a specific user, I would do the following for example

Just for this scenario Ive missed out 'ip address etc for eg!!!

Router

Int fa0/0
ip access-group 101 in
no shut

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

obviously normally ' ip http server' is already by default on the router and if I wanted everyone connected 'NOT' to use the 'Web browser - http://x.x.x.x - I would add :  no ip http server

What I wish to know about is if I wish to block my 'Website' which happens to run on my actual company 'Server', which I think is then known as the 'Intranet', how would I block this or am I getting confused with the above example?
0
Comment
Question by:mikey250
  • 4
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
snickered earned 500 total points
ID: 36896273
'ip http server' runs an http server on the router itself.  It has nothing to do with your users being able to browse the internet.  If you wanted to allow a single host (192.168.1.10) and deny all others from browsing the network 10.0.0.0/24 then your ACLs would be like this:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

That is assuming 192.168.1.0/24 is on the fa0/0 interface. e.g. 192.168.1.0/24 -> ( fa0/0 ROUTER fa0/1 ) -> 10.0.0.0/24
0
 

Author Comment

by:mikey250
ID: 36896305
Hi snickered,  Yes that 'ACL' is identical to my main thread!!!

So if Ive got a website up and running on my actual server, although Ive configured a specific host to be 'permitted access' via www, how would I block access to the website specifically or Im assuming that I would not do it that way as I either block port 80/www, which has already been done or I just block access to the specific Server running the website?
0
 

Author Comment

by:mikey250
ID: 36896314
Obviously I cannot actually access a website via means of 'ACL's, as I would then have to use some 'VNC' software for example to allow this type of access onto the actual server itself!!
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 6

Assisted Solution

by:snickered
snickered earned 500 total points
ID: 36896580
You wrote:

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www

I wrote:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www

See the difference now?  

Let's say you have a network of 192.168.1.0/24 on the fa0/0 interface and another network of 10.0.0.0/24 on the fa0/1 interface.  If there was a web server located on the 10.0.0.0/24 network and wanted only the host of 192.168.1.10 to access tcp port 80 on the 10.0.0.0/24 network then you would do:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

Open in new window


And as you already know you would have to set an IP address on your fa0/0 interface.

0
 

Author Comment

by:mikey250
ID: 36896642
Hi Snickered,  Ive tested both and both work!! Yes Ip addresses would be added!!

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

or

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

Int fa0/0
ip access-group 101 in
no shut
0
 
LVL 6

Expert Comment

by:snickered
ID: 36896845
It works?  That's great!  Assign points if your question is answered.
0
 

Author Closing Comment

by:mikey250
ID: 36897026
Sound advice!!!!!!!
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fibre channel switch - sfp needed? 2 49
Cisco 3560 Switch with Multiple Gateways 10 74
Best adsl router for small MS network 6 41
Port Forwarding 4 28
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question