No announcement yet.

Access List Question

  • Filter
  • Time
  • Show
Clear All
new posts

  • Access List Question

    If you would like to be able to permit some computers to access only 1 website could you do it through an access list?

    The thinking was as follows:

    access-list 100 permit (internal static address) (external address)
    access-list 100 deny (internal static address) any
    - - additional internal addresses for access list 100
    access-list 100 permit any any

    Then apply this to the ethernet interface.

    Will this work? Is there a better way to accomplish this?

    Many thanks in advance for any assistance.

  • #2
    Re: Access List Question

    Using router as firewall is a bad idea from my point of view.
    Also, router cant give you full control on ACL so I wouldnt use it and move
    to a real firewall like Netscreen 5GT.

    Example: Suppose that the target web site IP change - what you will do?
    or suppose that the target IP use host hheader to host multipile web site
    (Allow access to the IP will allow access to the other web sites also)?


    access-list 100 permit (internal static address) (external address)
    should be ok

    access-list 100 deny (internal static address) any - there is no need for this rule.

    access-list 100 permit any any should be ok

    * Backup the router before if you deside to use ACL.


    Last edited by yuval14; 13th July 2006, 05:09.
    Best Regards,

    Yuval Sinay

    LinkedIn:, Blog:


    • #3
      Re: Access List Question

      Hi windows_help,

      Thanks for posting your question here! Let me see if I can help.

      yuval is right when he said that a router doesn't make a good firewall. However, IOS routers can offer stateful packet inspection (called CBAC) with a firewall feature set.

      About your ACL, there is nothing wrong with permitting access to a certain website using an ACL (and blocking all others). The only gotcha, as yuval said, is that the IP address for the site could change and then the site is suddenly denied.

      The syntax is:
      access-list 100 permit tcp <INTERNAL STATIC> <IP address of website you want blocked> eq www
      ! this is permitting the internal hosts to the IP of the website on port 80. Unless you have other ACL's, the return traffic will be allowed back in
      access-list 100 deny ip any any

      I wouldn't end your ACL with a permit any any, in general.

      In general, I would specifically permit the things I want permitted and deny everything else. Denying everything else is actually done by default with the implicit deny at the end of the ACL.

      Also, where are you going to apply this ACL? (what interface and direction) Is the router running NAT? These are all things to consider.

      As always, please post your Cisco router questions here!

      David Davis
      David Davis - Petri Forums Moderator & Video Training Author
      Train Signal - The Global Leader in IT Video Training - Free IT Training Products
      Personal Websites: &