Cisco Port ACL Rule blocking port 80 appears to block all traffic

aclcisco

I have an ACL configured on an EHWIC card in a 2911 ISR, IOS 15.4, as below.

If I have the rules for blocking port 80 in there, ALL traffic to that port appears to be blocked (SSH, telnet, RDP etc.)

If I remove rules 300 and 400, it seems to work as expected, preventing telnet access, but allowing me to do everything else.

The main thing I need the ACL for though is to block access to a web pages across the network that I can't disable!

ip access-list extended PORT-ACL

100 deny tcp any any eq 23
200 deny tcp any eq 23 any
300 deny tcp any any eq 80
400 deny tcp any eq 80 any
500 deny icmp any any timestamp-reply
600 deny tcp any any eq 8080
700 deny tcp any eq 8080 any
1000 permit ip any any

interface GigabitEthernet1/0/1
description SERVER-DEVICE
ip access-group PORT-ACL in

Best Answer

Your access list should look like this:

ip access-list extended PORT-ACL

100 deny tcp any any eq 23
300 deny tcp any any eq 80
500 deny icmp any any timestamp-reply
1000 permit ip any any

interface GigabitEthernet1/0/1
description SERVER-DEVICE
ip access-group PORT-ACL OUT  <-- note change

The direction of the access list is in reference to the router, so OUT means from the router to the server. In that case, you will block traffic from other devices to the server when the TCP destination port is 23 or 80.

Best Answer

Related Solutions

Cisco IOS outbound filtering

Cisco ASA ACL – Deny Hit Rule but Traffic Permitted

Related Topic