Hi,
If I want to open a port on a C837 and only allow certain IP addresses in, and only allow outgoing traffic through that port to certain IP addresses, can I do that with a standard ACL? I'm not familiar with extended ACLs, so if I can't use a standard ACL, could you point me in the right direction for using an extended one?
Thanks in advance
SW
In article , S W wrote: :If I want to open a port on a C837 and only allow certain IP addresses in, :and only allow outgoing traffic through that port to certain IP addresses, :can I do that with a standard ACL?
You would normally do that via two ACLs, one "in" the outside interface, and the other "in" the inside interface.
:I'm not familiar with extended ACLs, so if I can't use a standard ACL, could :you point me in the right direction for using an extended one?
Something like...
access-list 101 permit tcp any host SERVER established access-list 101 permit tcp host SRCCLIENT1 host SERVER eq PORTNO access-list 101 permit tcp host SRCCLIENT2 host SERVER eq PORTNO
access-list 102 permit tcp host SERVER any established access-list 102 permit tcp host SERVER eq PORTNO host DSTCLIENT1 access-list 102 permit tcp host SERVER eq PORTNO host DSTCLIENT2
interface ATM0/1.1 ip access-group 101 in
interface FastEthernet0 ip access-group 102 in
But you won't be happy with the result, not unless you also allow appropriate DNS traffic and whatever web surfing and so on...
OK, one on the dialer in, one on the e0 out
Maybe a dumb question, but - Will a "permit TCP" allow http traffic?
So if I add these lines at the appropriate point in the existing standard acl, I should be fine, right?
Thanks a lot,
SW
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.