Catalyst ACL Question

Discussion in 'Cisco' started by newb, Sep 24, 2004.

  1. newb

    newb Guest

    I am trying to setup a Catalyst 3550 and previously have only limited experience with a PIX. What I have done is set up 2 VLANs 1 for our internal network stuff and 1 for our internet facing stuff. On the internet facing stuff I want to limit access to our external web server and only allow a select list of ports in but allow everything outgoing. I thought I could do this using an extended ACL such as this

    ip access-list extended Webserver
    permit tcp any eq www any
    permit tcp any eq 443 any
    permit tcp any eq ftp-data any
    permit tcp any eq ftp any
    permit tcp any eq 3389 any
    permit tcp any eq domain any
    deny ip any any

    However when I apply this the computer doesn’t seem to be able to see anything on the outside, the inbound filtering does seem to work though.

    If anyone has any recommendations I would really appreciate it.

    Colin Fischer
    newb, Sep 24, 2004
    #1
    1. Advertising

  2. newb

    Scooby Guest

    "newb" <> wrote in message
    news:Yz_4d.492815$M95.251050@pd7tw1no...
    > I am trying to setup a Catalyst 3550 and previously have only limited

    experience with a PIX. What I have done is set up 2 VLANs 1 for our internal
    network stuff and 1 for our internet facing stuff. On the internet facing
    stuff I want to limit access to our external web server and only allow a
    select list of ports in but allow everything outgoing. I thought I could do
    this using an extended ACL such as this
    >
    > ip access-list extended Webserver
    > permit tcp any eq www any
    > permit tcp any eq 443 any
    > permit tcp any eq ftp-data any
    > permit tcp any eq ftp any
    > permit tcp any eq 3389 any
    > permit tcp any eq domain any
    > deny ip any any
    >
    > However when I apply this the computer doesn't seem to be able to see

    anything on the outside, the inbound filtering does seem to work though.
    >
    > If anyone has any recommendations I would really appreciate it.
    >
    > Colin Fischer


    Colin,

    You are using source ports instead of destination ports. Your acl should be
    like this:

    ip access-list extended Webserver
    permit tcp any any eq www
    permit tcp any any eq 443
    permit tcp any any eq ftp-data
    permit tcp any any eq ftp
    permit tcp any any eq 3389
    permit tcp any anyeq domain
    deny ip any any

    Source ports are random.

    Hope that helps,

    Jim
    Scooby, Sep 24, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rick

    catalyst 2950 acl on VLAN

    Rick, Dec 1, 2003, in forum: Cisco
    Replies:
    0
    Views:
    724
  2. Shad T
    Replies:
    0
    Views:
    545
    Shad T
    Jun 29, 2004
  3. Martin Turba
    Replies:
    4
    Views:
    2,447
    Martin Turba
    Mar 14, 2005
  4. Vimokh
    Replies:
    3
    Views:
    5,564
    Vimokh
    Sep 6, 2006
  5. 05hammer
    Replies:
    2
    Views:
    504
Loading...

Share This Page