[c-nsp] access list help

Deric Kwok deric.kwok2000 at gmail.com
Wed Feb 4 10:04:16 EST 2009


Hi Steve

Thank you.

I don't understand why I can access http://192.168.0.115 if this access-list
is valid ?

My access list doesn't block www traffic to http://192.168.0.115
but block telnet / www to switch 192.168.0.118

I also don't understand about "access-list 120 permit any any"

If I have hundred access lists, I have to put this "permit any any" at the
end of each of hundred access-list

Thank you for your help

On Wed, Feb 4, 2009 at 9:10 AM, Steve Bertrand <steve at ibctech.ca> wrote:

> Deric Kwok wrote:
> > Hi All
> >
> > I am new in cisco and trying to config the access list in my switch
> >
> > My switch ip is 192.168.0.118
> >
> > I am trying to block the http traffic in the host 192.168.0.115
> >
> > When I do it in, I can not accces the switch !
> > But I can access http://192.168.0.115
> >
> > Can you help what is wrong?
> > Can you give me examples?
> >
>
> This rule states "deny tcp traffic from any host, to 192.168.0.115, port
> 80"
>
> > access-list 120 deny   tcp any host 192.168.0.115 eq www any log
>
> This rule states that you want to allow the rest of all traffic to .115
>
> > access-list 120 permit ip any host 192.168.0.115
>
> Now, by default, without any other rules, the switch denies ALL other
> traffic implicitly, including traffic destined to the management IP on
> the switch itself.
>
> To allow ALL other traffic to travel into, out of and to the switch, add:
>
> # access-list 120 permit any any
>
> ...which will allow ALL other traffic to and from all ports, to any IP
> address at any port.
>
> I'd recommend permitting what you want explicitly, and then
> deny-by-default, but the above will get you back up and going.
>
> > I also don't understand the access list only for deny 192.168.0.115.
> > Why it blocks me in  switch 192.168.0.118. but 192.168.0.115 is still
> fine?
>
> See above.
>
> Steve
>


More information about the cisco-nsp mailing list