[c-nsp] Access List Problem

Paul Stewart pauls at nexicom.net
Sat Oct 23 09:30:42 EDT 2004


Thanks for the reply...

Everything we tried didn't work for some reason... ended up putting this
particular equipment in behind a small router in our network which ended
up working.  When time permits I'll see if I can setup this arrangement
again and see what happens..:)

Paul


On Fri, 2004-10-22 at 03:15, Florian Prester wrote:
> Hi Paul,
> 
> i don`t know if I understand your Problem:
> 
> 
>     Is your interface FastEthernet 4/41 ?? on the side to the WWW?
>              |
>              |    -----------------------
> www -------| YOUR Router | --------- Your Net
>                   -----------------------
> 
> If the config is for the Interface to the www, then you have only 
> defined an ACL for the outgoing direction,
> meaning your ACL 120 is filtering the traffic from the  router to the www.
> If the interface is on the side to your network, you are filtering the 
> traffic from the router to your network, but how do you manage the 
> traffic from your network to the router and from the router to the www 
> and back?
> 
> The Point is:
> you defined an ACL on the router for an interface with outgoing direction.
> The outgoing direction on the interface is from the interface to the 
> network!!
> 
> If I am right and did not missunderstand your config, you should apply 
> the ACL on the incomming direction of the router-interface pointing to 
> the www:
>     this would allow:
> 
> line 1:  established traffic
> line 2:  www from the internet to th IP XXXXXXXXXXXXXXXX (which i think 
> is part of your network and should be reachable from the www (correct??))
> 
> I don`t know 1002 and 3389 (sorry)
> 
> line 5: https from the internet to your Webserver (IP: XXXXXXX)
> 
> But what about UDP?
> 
> good luck,
> florian
> 
> 
> Paul Stewart wrote:
> 
> >We are trying to filter traffic using a basic access list on an
> >interface (6509 Catalyst Native IOS).
> >
> >Here's the interface config:
> >
> >interface FastEthernet4/41
> > description XXXXXXXXXXX
> > ip address XXXXXXXXXX 255.255.255.248
> > ip access-group 120 out
> > logging event link-status
> > logging event bundle-status
> > speed 100
> > duplex full
> > no cdp enable
> >
> >And the access list:
> >
> >access-list 120 permit tcp any any established
> >access-list 120 permit tcp any host XXXXXXXXXX eq www
> >access-list 120 permit tcp any host XXXXXXXXXX eq 1002
> >access-list 120 permit tcp any host XXXXXXXXXX eq 3389
> >access-list 120 permit tcp any host XXXXXXXXXX eq 443
> >access-list 120 deny   ip any any log
> >
> >
> >The traffic coming in from the Internet is filtered and only the 4 ports
> >work fine.  No issues with that.
> >
> >Now, if I'm sitting on the server I can't surf or anything to the
> >outside world... something we need to do...
> >
> >What am I missing here?  I've tried an access list 121 applied opposite
> >that is "permit ip any any" but no difference...  I thought the
> >"established" statement would look after my needs...??
> >
> >Thanks,
> >
> >Paul
> >
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >  
> >
> 



More information about the cisco-nsp mailing list