Solved

ACL QUERY REGARDING - HTTP BROWSER/WEB SERVER

Posted on 2011-10-01
7
297 Views
Last Modified: 2012-05-12
Hi if I want to block 'Web access' via a 'browser' for 'All users' 'Except' for a specific user, I would do the following for example

Just for this scenario Ive missed out 'ip address etc for eg!!!

Router

Int fa0/0
ip access-group 101 in
no shut

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

obviously normally ' ip http server' is already by default on the router and if I wanted everyone connected 'NOT' to use the 'Web browser - http://x.x.x.x - I would add :  no ip http server

What I wish to know about is if I wish to block my 'Website' which happens to run on my actual company 'Server', which I think is then known as the 'Intranet', how would I block this or am I getting confused with the above example?
0
Comment
Question by:mikey250
  • 4
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
snickered earned 500 total points
Comment Utility
'ip http server' runs an http server on the router itself.  It has nothing to do with your users being able to browse the internet.  If you wanted to allow a single host (192.168.1.10) and deny all others from browsing the network 10.0.0.0/24 then your ACLs would be like this:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

That is assuming 192.168.1.0/24 is on the fa0/0 interface. e.g. 192.168.1.0/24 -> ( fa0/0 ROUTER fa0/1 ) -> 10.0.0.0/24
0
 

Author Comment

by:mikey250
Comment Utility
Hi snickered,  Yes that 'ACL' is identical to my main thread!!!

So if Ive got a website up and running on my actual server, although Ive configured a specific host to be 'permitted access' via www, how would I block access to the website specifically or Im assuming that I would not do it that way as I either block port 80/www, which has already been done or I just block access to the specific Server running the website?
0
 

Author Comment

by:mikey250
Comment Utility
Obviously I cannot actually access a website via means of 'ACL's, as I would then have to use some 'VNC' software for example to allow this type of access onto the actual server itself!!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Assisted Solution

by:snickered
snickered earned 500 total points
Comment Utility
You wrote:

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www

I wrote:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www

See the difference now?  

Let's say you have a network of 192.168.1.0/24 on the fa0/0 interface and another network of 10.0.0.0/24 on the fa0/1 interface.  If there was a web server located on the 10.0.0.0/24 network and wanted only the host of 192.168.1.10 to access tcp port 80 on the 10.0.0.0/24 network then you would do:

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

Open in new window


And as you already know you would have to set an IP address on your fa0/0 interface.

0
 

Author Comment

by:mikey250
Comment Utility
Hi Snickered,  Ive tested both and both work!! Yes Ip addresses would be added!!

access-list 101 permit tcp host 192.168.1.10 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

int fa0/0
ip access-group 101 in
no shut

or

access-list 101 permit tcp host 192.168.1.10 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www

Int fa0/0
ip access-group 101 in
no shut
0
 
LVL 6

Expert Comment

by:snickered
Comment Utility
It works?  That's great!  Assign points if your question is answered.
0
 

Author Closing Comment

by:mikey250
Comment Utility
Sound advice!!!!!!!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now