How to understand access-lists cisco?

D

Dymok2018-10-07 20:32:32

Computer networks

Dymok, 2018-10-07 20:32:32

I'm trying to figure out access sheets, there is such a network diagram:

For example, I want to make only a web server (port 80) available for network 192.168.2.0 and nothing else, even ping, and for host 192.168.2.100 there was access to all ports.
Compiled the following access-list:

spoiler

Extended IP access list TO-WEB-SERVER
    10 permit ip host 192.168.2.100 host 12.12.2.2 // Разрешаем всё с хоста 192.168.2.100
    20 permit tcp 192.168.2.0 0.0.0.255 host 12.12.2.2 eq www // Для остальной сети 192.168.2.0 доступ только по 80 порту
    30 deny ip 192.168.2.0 0.0.0.255 host 12.12.2.2 // Запрет остальных портов из сети 192.168.2.0 к хосту 12.12.2.2
    40 permit ip any any (16 match(es)) // Разрешаем всё остальное

Hung it on the outgoing interface from the local network:

spoiler

interface GigabitEthernet0/1
 ip address 12.12.1.1 255.255.255.252
 ip access-group TO-WEB-SERVER out
 ip nat outside
 duplex auto
 speed auto

But at the same time, in addition to HTTP, ping also works from host 192.168.2.2, why?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Strabbo, 2018-10-07
@UnluckySerivelha

If you have 192.168.2.0/24 natitsya in 12.12.1.1 , then this sheet must be hung on the interface (on in, not out), which looks towards the switch.
PS Try to do as I wrote. If everything works and you do not understand why, write, I will explain.

V

vreitech, 2018-10-07
@fzfx

ping works because none of the deny rules apply to it.

L

likler, 2018-11-06
@likler

Ping is an ICMP protocol and must be disabled separately.
Switch(config-ext-nacl)#10 deny ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol