On 5/19/12 2:01 AM, Sam wrote: > Guys > > Tried this and I cant get it to work they it should > > What I need to do is block access to a server for all ports bar the ips on > our network > > Server = 101.31.7.11 > > Our IPS = 101.97.214/23, 101.45.120/24 and external ip of say 210.11.23.12 > > Driving me insane!!!
If the server is the only host on the interface, it's relatively easy. access-list 10 permit 101.97.214.0 0.0.1.255 access-list 10 permit 101.45.120.0 0.0.0.255 access-list 10 permit host 210.11.23.12 interface [server-out] ip access-group 10 out If there are other hosts on the subnet in addition to the server that are to receive all traffic, it gets a bit trickier. Here we specifically allow the traffic to the server from the desired networks, then deny all other traffic to the server, then allow all other traffic to the rest of the subnet. Don't forget that there is an implicit (not shown or configured) deny all rule at the end of the access list. The access-list rules are processed in order. The access-group on an interface is applied in or out as seen by the interface. You could apply the lists "in" on all of the interfaces other than the one facing the server or "out" on the one facing the server. access-list 101 permit ip 101.97.214.0 0.0.1.255 any access-list 101 permit ip 101.45.120.0 0.0.0.255 any access-list 101 permit ip host 210.11.23.12 any access-list 101 deny ip any host 101.31.7.11 access-list 101 permit ip any any interface [server-out] ip access-group 101 out > Can you apply more then 1 access-list to an interface > > Access-list 101 in > Access-list 102 in Not in the same direction. You can have one list controlling traffic going into an interface and another one controlling traffic leaving the interface. > So I can share acl 102 on multiple interfaces You can, if you want the identical policy to apply to multiple interfaces. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/