[c-nsp] Access List Problem
pauls at nexicom.net
Sat Oct 23 09:30:42 EDT 2004
Thanks for the reply...
Everything we tried didn't work for some reason... ended up putting this
particular equipment in behind a small router in our network which ended
up working. When time permits I'll see if I can setup this arrangement
again and see what happens..:)
On Fri, 2004-10-22 at 03:15, Florian Prester wrote:
> Hi Paul,
> i don`t know if I understand your Problem:
> Is your interface FastEthernet 4/41 ?? on the side to the WWW?
> | -----------------------
> www -------| YOUR Router | --------- Your Net
> If the config is for the Interface to the www, then you have only
> defined an ACL for the outgoing direction,
> meaning your ACL 120 is filtering the traffic from the router to the www.
> If the interface is on the side to your network, you are filtering the
> traffic from the router to your network, but how do you manage the
> traffic from your network to the router and from the router to the www
> and back?
> The Point is:
> you defined an ACL on the router for an interface with outgoing direction.
> The outgoing direction on the interface is from the interface to the
> If I am right and did not missunderstand your config, you should apply
> the ACL on the incomming direction of the router-interface pointing to
> the www:
> this would allow:
> line 1: established traffic
> line 2: www from the internet to th IP XXXXXXXXXXXXXXXX (which i think
> is part of your network and should be reachable from the www (correct??))
> I don`t know 1002 and 3389 (sorry)
> line 5: https from the internet to your Webserver (IP: XXXXXXX)
> But what about UDP?
> good luck,
> Paul Stewart wrote:
> >We are trying to filter traffic using a basic access list on an
> >interface (6509 Catalyst Native IOS).
> >Here's the interface config:
> >interface FastEthernet4/41
> > description XXXXXXXXXXX
> > ip address XXXXXXXXXX 255.255.255.248
> > ip access-group 120 out
> > logging event link-status
> > logging event bundle-status
> > speed 100
> > duplex full
> > no cdp enable
> >And the access list:
> >access-list 120 permit tcp any any established
> >access-list 120 permit tcp any host XXXXXXXXXX eq www
> >access-list 120 permit tcp any host XXXXXXXXXX eq 1002
> >access-list 120 permit tcp any host XXXXXXXXXX eq 3389
> >access-list 120 permit tcp any host XXXXXXXXXX eq 443
> >access-list 120 deny ip any any log
> >The traffic coming in from the Internet is filtered and only the 4 ports
> >work fine. No issues with that.
> >Now, if I'm sitting on the server I can't surf or anything to the
> >outside world... something we need to do...
> >What am I missing here? I've tried an access list 121 applied opposite
> >that is "permit ip any any" but no difference... I thought the
> >"established" statement would look after my needs...??
> >cisco-nsp mailing list cisco-nsp at puck.nether.net
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp