Cisco Router Access List

I have a Cisco Router where gig0/0 is connected to the internet and Vlan1 is also using a public ip address with an ACL applied to it.  I want to allow a specific IP range to port 80 on a server connected to the VLAN interface on the router at ip address: 199.199.199.2

interface GigabitEthernet0/0
 ip address 71.x.x.x 255.255.255.252
 ip accounting output-packets
 ip accounting precedence input
 ip accounting precedence output
 ip nat outside
 ip virtual-reassembly

Open in new window


interface Vlan1
 ip address 199.199.199.1 255.255.252.0
 ip access-group acl-inbound in

Open in new window


ip access-list extended acl-inbound in
 permit tcp 87.87.87.0 0.0.0.255 199.199.199.2 0.0.0.0 eq 80
 deny ip any any

Open in new window


That's really the only unique code in the config. I do a sh access-list and it doesn't even show me a hit count on the ACL.  What am I doing wrong?
lconnellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Either reverse the source and destination address or apply the ACL outbound
0
lconnellAuthor Commented:
That doesn't seem to work, plus the traffic is coming in to that interface correct?
0
lconnellAuthor Commented:
Can you explain the traffic flow? I see any traffic coming into the interface from the Gig0/0 to the Vlan1 and anything out is Vlan1 to Gig0/0.

Am I seeing this incorrectly?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Don JohnstonInstructorCommented:
interface Vlan1
 ip address 199.199.199.1 255.255.252.0
 ip access-group acl-inbound in
 
 ip access-list extended acl-inbound in
 permit tcp 87.87.87.0 0.0.0.255 199.199.199.2 0.0.0.0 eq 80
 deny ip any any

Open in new window


What this config does is:

1) Any traffic entering the VLAN 1 interface (which means traffic on VLAN1 going to a different network) is subject to the ACL named "acl-inbound".
2) The first line of the ACL says: If it's coming from IP address 87.87.87.??? and it's going to 199.199.199.2, TCP port 80, then permit it.
3) If it doesn't match the first line, then the second line says: if it's using IP and it's coming from anywhere and going anywhere, deny it.

So the bottom line is that unless the traffic coming off VLAN1 is originating from the 87.87.87.0 network and going to 199.199.199.1, TCP port 80, it's not getting through.
0
lconnellAuthor Commented:
Ok thank you. That makes sense now.

So if I want to block all hosts except for 87.87.87.5 to access host 199.199.199.2:80 on VLAN1 wouldn't I want to stop the traffic before it even reached that host, instead of blocking the traffic coming from 199.199.199.2?

Should I be applying an ACL on Gig0/0?

Can you give me an example and your recommendation, explanation?

Thanks a lot!
0
Don JohnstonInstructorCommented:
Where is the host 87.87.87.5 located and where is the host 199.199.199.2 located?
0
lconnellAuthor Commented:
87.87.87.5 is a host on a completely different network. Say my home office.

199.199.199.2 is connected to VLAN1 at a Data Center.

(87.87.87.5 Client) -> (71.x.x.x Gig0/0) -> (199.199.199.1 VLAN1) -> (199.199.199.2 VLAN1)
0
Don JohnstonInstructorCommented:
There are four basic approaches to this type of task:

1) Stop the traffic from entering at the outside interface.
2) Stop the traffic from exiting the inside interface.
3) Stop the traffic from entering the inside interface.
4) Stop the traffic from exiting the outside interface.

Every one of these will work.  The questions are; which one is the most efficient and which one is easiest.

For example, If you go with approach 1, Every single packet coming in off the internet will have to be checked. With approach 4, the traffic will have entered the network, gone through the router, hit the server, and gone through the router again before being discarded before exiting.

Personally, I would use approach 2.

access-list 101 permit tcp 87.87.87.5 0.0.0.0 199.199.199.2 0.0.0.0 eq 80
int vlan 1
 access-group 101 out

I didn't see a "ip nat inside" on the VLAN1 interface.  But there's a "ip nat ouside" on the gig 0/0 interface.  is this an omission?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lconnellAuthor Commented:
There is not a 'nat inside' on VLAN1. No nat needs to happen, public IP's are being used.

The only inside nat is shown below, but that is for a different subnet.

interface GigabitEthernet0/1.3001
 description Route To SW1
 encapsulation dot1Q 3001
 ip address 172.31.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly

ip nat inside source list nat-outbound interface GigabitEthernet0/0 overload

ip access-list extended nat-outbound
 permit ip 172.31.x.x 0.0.0.255 any
0
lconnellAuthor Commented:
That worked btw, thank you very much.  I just was looking at outside and inside backwards. I was seeing it as traffic going outside and traffic coming in, instead of traffic hitting the outside and traffic hitting the inside... if that makes sense :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.