ACL problems


I have a Cisco 837 which is the default gateway on the LAN, and also the router with a couple of static routes set. I am using a Proxy server on the LAN for monitoring Internet access, and to force clients to use the proxy I've been using a standard ACL on the Ethernet interface of the 837, to deny any ip addresses except the proxy server and a few others. I've come to the conlusion that the ACL should be on the dialer interface, because clients on the LAN which are restricted by the ACL don't seem able to "recognise" the static routes. Clients which are permitted through the ethernet interface can. So because I want all clients to see the route I think I need to set up the ACL for Internet access on the dialer interface. Am I right so far? Can I just take the ACL off the ethernet "in" interface and apply it to the "out" interface of the dialer? The "in" interface of the dialer has an extended ACL. I've tried putting statements like the following in that but it doesn't work:

100 permit tcp host (Proxy IP) any eq www 105 permit tcp host (Another server IP) any eq www 110 deny tcp any any eq www 150 deny ip any any

That allows all traffic through. There's a whole lot more in this extended ACL that I don't really understand, hence my question about applying the ACL to the "out" interface which currently does not have an ACL. If I need to use the extended ACL on the "in" interface, where am I going wrong?

Best Regards,


Reply to
Loading thread data ...

Hi SW,

You can only apply 1 ACL per protocol, per interface, per direction. The way I read you situation, you could actually bound all those ACEs to the one ACL anyway. Eg.

100 permit tcp host (Proxy IP) any eq www 100 permit tcp host (Another server IP) any eq www

(there is an explicit deny on the end of every ACL so you dont need to enter it)

Then apply them to the dialer interface for outbound traffic with if)#access-group 100 out


Reply to

Hi Scotty,

Apologies but I think I caused some confusion with my numbers. I was intending to show line numbers in the ACL, not ACL names/numbers. I realise that you can only have one ACL per interface. Since I posted the original question, I've realised that I need to consider traffic that comes into our webserver from the Internet. If I generally deny www traffic, our website's not going to work! Is there a way to deny traffic with an IP address range on an extended acl?

Thanks in advance SW

Reply to
S W Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.