ah yes the old in or out debate...
Brian "Sonic" Whalen
Success = Preparation + Opportunity
On Wed, 29 Aug 2001, John Neiberger wrote:
> The problem is in your second line. You are denying traffic *sourced*
> from port 80 (www), not traffic destined for port 80. Change the line
> to:
>
> access-list 101 deny tcp any any eq www
>
> I would even consider adding "eq www" to the first line since you only
> want to allow web traffic to that host, right?
>
> HTH,
> John
>
> >>> "Wilson, Bradley" 8/29/01 10:03:33 AM >>>
> Okay gang, this one's work-related so don't feel obligated to help. ;-)
> I
> think it's an interesting thought problem though:
>
> The Problem I'm Trying To Solve: allow access to a particular website
> (2.2.2.2) from users on a particular subnet. Do NOT allow them to
> access
> any *other* website. Allow them to access other resources within your
> internal network (172.0.0.0).
>
> Here's the ACL I came up with:
>
> access-list 101 permit ip any host 167.216.138.4
> access-list 101 deny tcp any eq www any
> access-list 101 permit ip any 172.0.0.0 0.255.255.255
> access-list 101 permit ip any any
>
> This list was created on an MSFC card running in a 6509 chassis, and
> has
> been applied to interface Vlan1 inbound (I tried outbound as well just
> for
> kicks). The (unintended) result is that users can access both the
> target
> website, as well as other websites on the Internet. Any ideas?
>
>
>
> Bradley J. Wilson
> CCNP CCDP MCSE NNCSS CNX MCT CTT
> EDS/Boston Scientific Account
> (508) 650-8739
> [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17754&t=17695
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
