CCNA ACcess Control Lists

Edmondo83

Hi All,

I am in need of some help regarding ACL's.

Say i have a webserver address 192.168.15.3 and another network with 3 PC's ranging 172.16.15.2 - 172.16.15.5, I want to create a ACL that only allows 172.16.15.2 to connect to the webserver using HTTP and block all the other machines access.

At present I can create a list where 172.16.15.2 is the only machine that can access HTTP but this also blocks all other access to the 192 network ie ping, telnet etc, below is my list that does this.

access-list 101 permit tcp 172.16.15.2 0.0.0.0 192.168.15.3 0.0.0.0 eq 80

How can I allow all other traffic while blocking HTTP from all but 172.16.15.2 of the 172 range?

Many thanks

Chris_

There is an implicit deny at the end of an access list, to counter this you would need to add 'permit ip any any' to the end of your list.

Nate--IRL--

Rather than permit 172.16.15.2, try denying 172.16.15.3 - 172.16.15.5?

Nate

Edmondo83

Hello,

Chris your solution seems to allow access for all 172 addresses to HTTP, IP, TCP etc for the webserver on the 192 range? so my list now looks like:

access-list 101 permit tcp 172.16.15.2 0.0.0.0 192.168.15.3 0.0.0.0 eq 80
access-list 101 permit ip any any

then I apply it to the fa 0/0 int of the 172 range router as below

ip access-group 101 in

Am i doing that correctly?

Thanks

Chris_

Sorry I read the question wrong, you need to explicitly deny everything that needs to be blocked and then permit all after that.

Edmondo83

Hi Chris,

I have managed to get it working as follows.

access-list 101 permit tcp host 172.16.15.4 host 192.168.15.7 eq www
access-list 101 deny tcp any host 192.168.15.7 eq www
access-list 101 permit ip any any

Many thanks for your help!

Chris_

No problem, sorry I have you the wrong answer at first - 5 screaming kids round me as I read it!!

Bolton07

Is the www the same as Port 80 and HTTP

Aman_saini

Bolton07 wrote: »

Is the www the same as Port 80 and HTTP

yes they have the same meaning

Edmondo83

Does anyone know how to allow a ping from one machine but block all other pings on that network?

Similar to the above request:

access-list 101 permit icmp host 172.16.15.4 host 192.168.15.7 eq echo-reply
access-list 101 deny tcp any host 192.168.15.7 echo reply
access-list 101 permit ip any any

I think the ip in the 3rd line allows pings to be sent again??? but if I don't permit this, how would allow for all other traffic to be sent?

Thanks

toshinden5

Edmondo83 wrote: »

Does anyone know how to allow a ping from one machine but block all other pings on that network?

Similar to the above request:



I think the ip in the 3rd line allows pings to be sent again??? but if I don't permit this, how would allow for all other traffic to be sent?

Thanks

As all rules of access list, it will run from top to bottom and there is a implicit deny at the very bottom. So if you want to allow ping from one machine you would do the follow:

access-list 101 permit icmp host 172.16.15.4 host 192.168.15.7 eq echo-reply
access-list 101 deny icmp any host 192.168.15.7 echo reply
access-list 101 permit ip any any

This will disable all pings to the specific server except for the one host that needs to ping.

Edmondo83

Hi thanks for your reply, this sadly does not seem to work, I can still ping from other 172 machines to the 192 network using this ACL.

michaelcox

Edmondo83 wrote: »

Hi thanks for your reply, this sadly does not seem to work, I can still ping from other 172 machines to the 192 network using this ACL.

which interface did you apply it on? Inbound or outbound?

Zartanasaurus

You don't want to block echo-reply you want to block echo. Echo-reply is the reply to the ping request.

So you'd want to:
permit icmp source destination echo
deny icmp any any echo

Apply to interface attached to the sources of the pings in the inbound direction.