[c-nsp] Access List Problem
Bruce Pinsky
bep at whack.org
Thu Oct 21 14:25:12 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Stewart wrote:
| We are trying to filter traffic using a basic access list on an
| interface (6509 Catalyst Native IOS).
|
| Here's the interface config:
|
| interface FastEthernet4/41
| description XXXXXXXXXXX
| ip address XXXXXXXXXX 255.255.255.248
| ip access-group 120 out
| logging event link-status
| logging event bundle-status
| speed 100
| duplex full
| no cdp enable
|
| And the access list:
|
| access-list 120 permit tcp any any established
| access-list 120 permit tcp any host XXXXXXXXXX eq www
| access-list 120 permit tcp any host XXXXXXXXXX eq 1002
| access-list 120 permit tcp any host XXXXXXXXXX eq 3389
| access-list 120 permit tcp any host XXXXXXXXXX eq 443
| access-list 120 deny ip any any log
|
|
| The traffic coming in from the Internet is filtered and only the 4 ports
| work fine. No issues with that.
|
| Now, if I'm sitting on the server I can't surf or anything to the
| outside world... something we need to do...
|
| What am I missing here? I've tried an access list 121 applied opposite
| that is "permit ip any any" but no difference... I thought the
| "established" statement would look after my needs...??
|
What does the log show is being blocked?
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFBd/8IE1XcgMgrtyYRAs9lAJ9Pzagp3L4vTf8Y2i3DSsdbLsO7pgCeMe3h
YswmLHW+yr1JxSIyKXBZZeo=
=TtRJ
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list