[c-nsp] Access List Problem

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Fri Oct 22 03:15:21 EDT 2004


Hi Paul,

i don`t know if I understand your Problem:


    Is your interface FastEthernet 4/41 ?? on the side to the WWW?
             |
             |    -----------------------
www -------| YOUR Router | --------- Your Net
                  -----------------------

If the config is for the Interface to the www, then you have only 
defined an ACL for the outgoing direction,
meaning your ACL 120 is filtering the traffic from the  router to the www.
If the interface is on the side to your network, you are filtering the 
traffic from the router to your network, but how do you manage the 
traffic from your network to the router and from the router to the www 
and back?

The Point is:
you defined an ACL on the router for an interface with outgoing direction.
The outgoing direction on the interface is from the interface to the 
network!!

If I am right and did not missunderstand your config, you should apply 
the ACL on the incomming direction of the router-interface pointing to 
the www:
    this would allow:

line 1:  established traffic
line 2:  www from the internet to th IP XXXXXXXXXXXXXXXX (which i think 
is part of your network and should be reachable from the www (correct??))

I don`t know 1002 and 3389 (sorry)

line 5: https from the internet to your Webserver (IP: XXXXXXX)

But what about UDP?

good luck,
florian


Paul Stewart wrote:

>We are trying to filter traffic using a basic access list on an
>interface (6509 Catalyst Native IOS).
>
>Here's the interface config:
>
>interface FastEthernet4/41
> description XXXXXXXXXXX
> ip address XXXXXXXXXX 255.255.255.248
> ip access-group 120 out
> logging event link-status
> logging event bundle-status
> speed 100
> duplex full
> no cdp enable
>
>And the access list:
>
>access-list 120 permit tcp any any established
>access-list 120 permit tcp any host XXXXXXXXXX eq www
>access-list 120 permit tcp any host XXXXXXXXXX eq 1002
>access-list 120 permit tcp any host XXXXXXXXXX eq 3389
>access-list 120 permit tcp any host XXXXXXXXXX eq 443
>access-list 120 deny   ip any any log
>
>
>The traffic coming in from the Internet is filtered and only the 4 ports
>work fine.  No issues with that.
>
>Now, if I'm sitting on the server I can't surf or anything to the
>outside world... something we need to do...
>
>What am I missing here?  I've tried an access list 121 applied opposite
>that is "permit ip any any" but no difference...  I thought the
>"established" statement would look after my needs...??
>
>Thanks,
>
>Paul
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>



More information about the cisco-nsp mailing list