[f-nsp] Basic ACL question
David Miller
dmiller at metheus.org
Thu Jul 14 16:51:50 EDT 2011
I have a ServerIron 4G doing NATing and load balancing. It's a pretty
typical configuration, I think.
The WAN port for the router is configured like so:
interface ve 66
ip access-group access_group_1 in
ip address 1.2.3.5 255.255.255.0
ip nat outside
ip vrrp-extended vrid 66
backup
advertise backup
ip-address 1.2.3.7
vip-group 1
vrid-group 1
The acl looks like this:
ip access-list extended access_group_1
permit tcp any host 1.2.3.12 eq http
[...]
deny ip any any
1.2.3.12 is virtual host with a real address. A real host, 192.168.1.12
is bound to the virtual host on http.
I'm trying to limit access on the port to a particular network, but
nothing in that access control list seems to affect access. Deleting
the permit doesn't block access through this port; neither does adding a
specific deny entry.
I'm missing something basic here. Does binding a real server to a
virtual automatically permit access on that port? Is the acl not
properly setup on the interface?
Pointers welcome,
--- David
More information about the foundry-nsp
mailing list