Extended ACL
Access Control List, ACL, ACL Manager, Active Directory, Cisco, Packet Tracer, Security in 2010, Servers
How do I create an ACL for: Allow inbound HTTP requests to the www.yzcorp server.
Add info: The www.yzcorp.com website at 10.0.1.2 is registered with the public DNS system at IP address 209.165.200.246
permit tcp any 209.165.200.246 eq www is not working.
Software/Hardware used:
Packet Tracer
Add info: The www.yzcorp.com website at 10.0.1.2 is registered with the public DNS system at IP address 209.165.200.246
permit tcp any 209.165.200.246 eq www is not working.
Software/Hardware used:
Packet Tracer
ASKED:
September 18, 2010 1:21 PM
UPDATED:
December 16, 2010 4:13 AM
Answer Wiki:
Correction: permit tcp any host 209.165.200.246 eq www is not working
Where did you apply your access-group and in what direction? That could make the difference.
To see all answers submitted to the Answer Wiki: View Answer History.
I applied the the access-group on the router ( between the router and ISP), in this case, S0/1/0. Router statement: ip access-group FIREWALL (ACL name) in
Thanks for replying.
Do you have NAT on the router as well?
Perhaps post the relevant parts of the config, obviously removing the sensitive stuff
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
interface Serial0/1/0
ip address 209.165.201.1 255.255.255.252
encapsulation ppp
ppp authentication chap
ip access-group FIREWALL in
ip nat outside
ip nat pool XYZCORP 209.165.200.241 209.165.200.245 netmask 255.255.255.248
ip nat inside source list NAT_LIST pool XYZCORP
ip nat inside source static 10.0.1.2 209.165.200.246
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 10.4.5.0 255.255.255.0 Serial0/0/1
ip access-list standard NAT_LIST
permit 10.0.0.0 0.255.255.255
ip access-list extended FIREWALL
permit tcp any host 209.165.200.246 eq www
permit tcp any any established
permit icmp any any echo-reply
deny ip any any
Fa0/0 is towards http://www.xyzcorp.com server. S0/1/0 is towards the ISP. I attempted to copy/paste a simulated network diagram, but unsuccessful.
Any help would be appreciated.
I’m running into the exact same issue and have created the exact same ACL. I’ve scored 470 of a possible 471 points on this assignment and this last point is going to drive me bonkers if I can’t find it! The webserver, located on the inside at 10.0.1.2, is not accessible from the outside. If the FIREWALL ACL has not been created, the public-to-private mapping “ip nat inside source static 10.0.1.2 209.165.200.246″ works fine. The moment the ACL is created, you get “Request Timeout” from the PC located on the outside. The Packet Tracer program’s scoring table is indicating an error with the FIREWALL ACL, but of course doesn’t specify where in the ACL the error is occurring. I don’t have a solution, just wanted to toss my hat in there as someone who is having the same problem
Hi Normc62,
If you open a new thread for your question, it might get more attention and possibly an answer this time! Best of luck.
Melanie
Hi Melanie,
Actually, it’s the exact same problem that IFOY is having. In fact, I created my ACL in the exact same manner before coming here to see if someone had a solution ["great minds think alike"?]. I have to submit my assignment in the next day or two, so I figure I’m going to end up with a 470/471 and I’ll simply poke at it later and see if I can figure out where I/we went wrong.