[c-nsp] Access List Problem

Bruce Pinsky bep at whack.org
Thu Oct 21 14:25:12 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Stewart wrote:
| We are trying to filter traffic using a basic access list on an
| interface (6509 Catalyst Native IOS).
|
| Here's the interface config:
|
| interface FastEthernet4/41
|  description XXXXXXXXXXX
|  ip address XXXXXXXXXX 255.255.255.248
|  ip access-group 120 out
|  logging event link-status
|  logging event bundle-status
|  speed 100
|  duplex full
|  no cdp enable
|
| And the access list:
|
| access-list 120 permit tcp any any established
| access-list 120 permit tcp any host XXXXXXXXXX eq www
| access-list 120 permit tcp any host XXXXXXXXXX eq 1002
| access-list 120 permit tcp any host XXXXXXXXXX eq 3389
| access-list 120 permit tcp any host XXXXXXXXXX eq 443
| access-list 120 deny   ip any any log
|
|
| The traffic coming in from the Internet is filtered and only the 4 ports
| work fine.  No issues with that.
|
| Now, if I'm sitting on the server I can't surf or anything to the
| outside world... something we need to do...
|
| What am I missing here?  I've tried an access list 121 applied opposite
| that is "permit ip any any" but no difference...  I thought the
| "established" statement would look after my needs...??
|

What does the log show is being blocked?

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQFBd/8IE1XcgMgrtyYRAs9lAJ9Pzagp3L4vTf8Y2i3DSsdbLsO7pgCeMe3h
YswmLHW+yr1JxSIyKXBZZeo=
=TtRJ
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list