Assuming that the router is sitting between the host and the service
listening to port 2200, your list should look like so:
example topology:
Host (e0) Router (e1) service listening on port 2200
example access-list:
Router(config)#access-list 113 deny tcp host 10.42.237.23 ip eq 2200
Router(config)#access-list 113 permit ip any any
Router(config)#int e0
Router(config-if)#ip access-group 113 in
This bloacks anything from host 10.42.237.23 on port 2200 going into the
router on e0.
You may also want to consider using named access lists, if your IOS version
supports it:
Router(config)#ip access-list extended MyNetworkACL
Router(config-std-nacl)#deny tcp host 10.42.237.23 ip eq 2200
Router(config-std-nacl)#int e0
Router(config-if)#ip access-group MyNetworkACL in
Named access lists are a bit easier to manage if you have a lot of
configurations in there.
HTH,
johnny p.
At 03:44 PM 4/19/2001 -0400, Allen May wrote:
>Unless they're going through the router to get to the server an access-list
>won't help you there. That just filters traffic passing through interfaces.
>If it's on the same network you'll have to permit/deny at the server itself.
>It's possible with all operating systems. What kind of server is it?
>
>----- Original Message -----
>From: "Luke"
>To:
>Sent: Thursday, April 19, 2001 2:19 PM
>Subject: Need access list help [7:1274]
>
>
> > Have following internal local networks:
> >
> > Local Networks : 10.42.232.0 through 10.42.239.0
> > Have a host at 10.42.237.23 that I want to permit local networks
>to
> > access (TCP port 2200)
> > Want to deny access to host 10.42.237.23 for all others
> > Want to permit all other traffic any any
> >
> > In effect I just need to deny access to one host for stated port for
> > every not on the local network. What should the access-list look like,
>I'd
> > hate to club my local network.
> >
> > May current plan was to
> >
> > access-list 113 permit tcp 10.42.232.0 0.0.248.255 host
>10.42.237.23
> > access-list 113 deny tcp any host 10.42.237.23
> > access-list 113 permit tcp any any
> > {implicit deny}
> >
> > config-int vlan 237
> > ip access-group 113 in
> >
> > But I have have the sinking feeling I am about to club all other
> > protocols. Can someone straighten me out?
> >
> > Thanks in advance.
> >
> > Luke
> > FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1287&t=1274
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
