RE: Work-related ACL problem [7:17695]

Wed, 29 Aug 2001 22:09:57 -0700 

Is 167.216.138.4 a proxy server? is there another proxy
server in the midst perhaps using another tcp port number?
Proxy servers usually use 8080 but I've seen some (Squid, a
Unix Proxy Server) for example at other port ids.  Keep in mind
that there are anonymous proxy services out there that aren't
using standard port numbers and your users can still use those.
But lets take proxies out of the equation for a moment.
As soon as you use a deny rule you prohibit any further processing for
the predicates the deny rule uses. So put your permits first in
the "greedy-eye" format, that is place your unrestricted
largest permitted access first.

permit ip any 172.0.0.0 0.255.255.255
permit tcp any host 2.2.2.2 eq www
deny tcp any any eq www

Wayne


-----Original Message-----
From: Wilson, Bradley [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, August 30, 2001 1:04 AM
To: [EMAIL PROTECTED]
Subject: Work-related ACL problem [7:17695]

Okay gang, this one's work-related so don't feel obligated to help. ;-)  I
think it's an interesting thought problem though:

The Problem I'm Trying To Solve: allow access to a particular website
(2.2.2.2) from users on a particular subnet.  Do NOT allow them to access
any *other* website.  Allow them to access other resources within your
internal network (172.0.0.0).

Here's the ACL I came up with:

access-list 101 permit ip any host 167.216.138.4
access-list 101 deny tcp any eq www any
access-list 101 permit ip any 172.0.0.0 0.255.255.255
access-list 101 permit ip any any

This list was created on an MSFC card running in a 6509 chassis, and has
been applied to interface Vlan1 inbound (I tried outbound as well just for
kicks).  The (unintended) result is that users can access both the target
website, as well as other websites on the Internet.  Any ideas?



Bradley J. Wilson
CCNP CCDP MCSE NNCSS CNX MCT CTT
EDS/Boston Scientific Account
(508) 650-8739
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17810&t=17695
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to