ACL problems

Discussion in 'Cisco' started by S W, Jun 15, 2007.

  1. S W

    S W Guest

    Hi,

    I have a Cisco 837 which is the default gateway on the LAN, and also the
    router with a couple of static routes set.
    I am using a Proxy server on the LAN for monitoring Internet access, and to
    force clients to use the proxy I've been using a standard ACL on the
    Ethernet interface of the 837, to deny any ip addresses except the proxy
    server and a few others. I've come to the conlusion that the ACL should be
    on the dialer interface, because clients on the LAN which are restricted by
    the ACL don't seem able to
    "recognise" the static routes. Clients which are permitted
    through the ethernet interface can. So because I want all
    clients to see the route I think I need to set up the ACL for Internet
    access on the dialer interface.
    Am I right so far?
    Can I just take the ACL off the ethernet "in" interface and apply it to the
    "out" interface of the dialer? The "in" interface of the dialer has an
    extended ACL. I've tried putting statements like the following in that but
    it doesn't work:

    100 permit tcp host (Proxy IP) any eq www
    105 permit tcp host (Another server IP) any eq www
    110 deny tcp any any eq www
    150 deny ip any any

    That allows all traffic through.
    There's a whole lot more in this extended ACL that I don't really
    understand, hence my question about applying the ACL to the "out" interface
    which currently does not have an ACL.
    If I need to use the extended ACL on the "in" interface, where am I going
    wrong?

    Best Regards,

    SW
    S W, Jun 15, 2007
    #1
    1. Advertising

  2. S W

    ScottyC Guest

    On 15 Jun, 09:40, "S W" <> wrote:
    > Hi,
    >
    > I have a Cisco 837 which is the default gateway on the LAN, and also the
    > router with a couple of static routes set.
    > I am using a Proxy server on the LAN for monitoring Internet access, and to
    > force clients to use the proxy I've been using a standard ACL on the
    > Ethernet interface of the 837, to deny any ip addresses except the proxy
    > server and a few others. I've come to the conlusion that the ACL should be
    > on the dialer interface, because clients on the LAN which are restricted by
    > the ACL don't seem able to
    > "recognise" the static routes. Clients which are permitted
    > through the ethernet interface can. So because I want all
    > clients to see the route I think I need to set up the ACL for Internet
    > access on the dialer interface.
    > Am I right so far?
    > Can I just take the ACL off the ethernet "in" interface and apply it to the
    > "out" interface of the dialer? The "in" interface of the dialer has an
    > extended ACL. I've tried putting statements like the following in that but
    > it doesn't work:
    >
    > 100 permit tcp host (Proxy IP) any eq www
    > 105 permit tcp host (Another server IP) any eq www
    > 110 deny tcp any any eq www
    > 150 deny ip any any
    >
    > That allows all traffic through.
    > There's a whole lot more in this extended ACL that I don't really
    > understand, hence my question about applying the ACL to the "out" interface
    > which currently does not have an ACL.
    > If I need to use the extended ACL on the "in" interface, where am I going
    > wrong?
    >
    > Best Regards,
    >
    > SW


    Hi SW,

    You can only apply 1 ACL per protocol, per interface, per direction.
    The way I read you situation, you could actually bound all those ACEs
    to the one ACL anyway. Eg.

    100 permit tcp host (Proxy IP) any eq www
    100 permit tcp host (Another server IP) any eq www

    (there is an explicit deny on the end of every ACL so you dont need to
    enter it)

    Then apply them to the dialer interface for outbound traffic with
    if)#access-group 100 out

    Cheers
    ScottyC, Jun 15, 2007
    #2
    1. Advertising

  3. S W

    S W Guest

    "ScottyC" <> wrote in message
    news:...
    > On 15 Jun, 09:40, "S W" <> wrote:


    <snip>

    >
    > Hi SW,
    >
    > You can only apply 1 ACL per protocol, per interface, per direction.
    > The way I read you situation, you could actually bound all those ACEs
    > to the one ACL anyway. Eg.
    >
    > 100 permit tcp host (Proxy IP) any eq www
    > 100 permit tcp host (Another server IP) any eq www
    >
    > (there is an explicit deny on the end of every ACL so you dont need to
    > enter it)
    >
    > Then apply them to the dialer interface for outbound traffic with
    > if)#access-group 100 out
    >
    > Cheers
    >


    Hi Scotty,

    Apologies but I think I caused some confusion with my numbers. I was
    intending to show line numbers in the ACL, not ACL names/numbers.
    I realise that you can only have one ACL per interface.
    Since I posted the original question, I've realised that I need to consider
    traffic that comes into our webserver from the Internet.
    If I generally deny www traffic, our website's not going to work!
    Is there a way to deny traffic with an IP address range on an extended acl?

    Thanks in advance
    SW
    S W, Jun 15, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alexandre
    Replies:
    0
    Views:
    8,074
    Alexandre
    Oct 17, 2003
  2. Bill F

    pix tunnel related acl

    Bill F, Oct 24, 2003, in forum: Cisco
    Replies:
    2
    Views:
    395
    Bill F
    Oct 24, 2003
  3. Shad T
    Replies:
    0
    Views:
    577
    Shad T
    Jun 29, 2004
  4. Vimokh
    Replies:
    3
    Views:
    5,605
    Vimokh
    Sep 6, 2006
  5. Replies:
    2
    Views:
    661
Loading...

Share This Page