Thanks everyone, of course this is what I wanted. Like I said, a stupid ACL question...I'm blaming heavy medication, sorry for the noise!
> On Thu, 21 Apr 2011, [email protected] wrote: >> permit tcp any eq 443 any >> permit tcp any eq 80 any >> deny ip any host 2.2.3.4 >> permit ip any any >> >> This is applied to an inbound interface(s). We want anybody outside to >> be >> able to reach ports 80 and 443 of any host on our network, no matter >> what, >> then block ALL other access to select hosts, such as 2.2.3.4, even ICMP. >> However, as soon as I apply this rule to the interface, ports 80 and 443 >> of that host become unreachable. A telnet to 2.2.3.4 443 gets >> "Connection >> refused" until I tear out the deny ACL above. I even tried adding udp >> for >> both ports, to no avail. > > Your ACL is apply the 80 & 443 as source ports, not destination ports. > > You probably want: > permit tcp any any eq 443 > permit tcp any any eq 80 > deny ip any host 2.2.3.4 > permit ip any any > > ________________________________________________________________________ > Jay Ford, Network Engineering Group, Information Technology Services > University of Iowa, Iowa City, IA 52242 > email: [email protected], phone: 319-335-5555, fax: 319-335-2951 >
