[c-nsp] Help with ACL Rule

Jay Hennigan jay at west.net
Sat May 19 14:24:17 EDT 2012 

On 5/19/12 2:01 AM, Sam wrote:
> Guys
> 
> Tried this and I cant get it to work they it should
> 
> What I need to do is block access to a server for all ports bar the ips on
> our network
> 
> Server = 101.31.7.11 
> 
> Our IPS = 101.97.214/23, 101.45.120/24 and external ip of say 210.11.23.12
> 
> Driving me insane!!!

If the server is the only host on the interface, it's relatively easy.

access-list 10 permit 101.97.214.0 0.0.1.255
access-list 10 permit 101.45.120.0 0.0.0.255
access-list 10 permit host 210.11.23.12

interface [server-out]
 ip access-group 10 out

If there are other hosts on the subnet in addition to the server that
are to receive all traffic, it gets a bit trickier.  Here we
specifically allow the traffic to the server from the desired networks,
then deny all other traffic to the server, then allow all other traffic
to the rest of the subnet.  Don't forget that there is an implicit (not
shown or configured) deny all rule at the end of the access list.

The access-list rules are processed in order.  The access-group on an
interface is applied in or out as seen by the interface.  You could
apply the lists "in" on all of the interfaces other than the one facing
the server or "out" on the one facing the server.

access-list 101 permit ip 101.97.214.0 0.0.1.255 any
access-list 101 permit ip 101.45.120.0 0.0.0.255 any
access-list 101 permit ip host 210.11.23.12 any
access-list 101 deny ip any host 101.31.7.11
access-list 101 permit ip any any

interface [server-out]
 ip access-group 101 out

> Can you apply more then 1 access-list to an interface
> 
> Access-list 101 in
> Access-list 102 in

Not in the same direction.  You can have one list controlling traffic
going into an interface and another one controlling traffic leaving the
interface.

> So I can share acl 102 on multiple interfaces

You can, if you want the identical policy to apply to multiple interfaces.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

More information about the cisco-nsp mailing list