How do I access newsgroups?

Cisco extended ACL question. How to I limit access to only one host?

• I have a class C. Let's call it 192.168.1.0/24. It a live range, the non-routable range is just for example purposes. The range is broken down into 4 subnets. 192.168.1.1/26, 192.168.1.65/26, 192.168.1.129/26, & 192.168.1.193/26. The FastEthernet port is 192.168.1.254. I have a route allowing anything going from 192.168.1.0/24 through the firewall behind the router at 192.168.1.253. I need to limit the access of one single host that is on the DMZ. It is 192.168.1.252. I tried making an extended ACL, but it interferes with the traffic for the rest of the LAN. What am I doing wrong? access-list 110 permit tcp any host 192.168.1.252 eq 80 access-list 110 permit tcp any host 192.168.1.252 eq 443 access-list 110 permit tcp any host 192.168.1.252 eq 3389 access-list 110 permit tcp any host 192.168.1.252 eq 3306 access-list 110 permit ip any 192.168.1.0 0.0.0.255 access-list 110 deny ip any host 192.168.1.252 access-list 120 permit tcp host 192.168.1.252 any eq 25 access-list 120 permit tcp host 192.168.1.252 any eq ftp access-list 120 permit tcp host 192.168.1.252 any eq 69 access-list 120 permit tcp host 192.168.1.252 any eq 3306 access-list 120 permit ip any 192.168.1.0 0.0.0.255 access-list 120 deny ip host 192.168.1.252 any

• Answer:

  Your deny statement is behind your "permit ip any 192.168.1.0 0.0.0.255" statement. Trace the traffic: If I wanted to telnet to 192.168.1.252 (port 23), the first 4 lines don't match, so they're useless, then I hit the 5th line, which says to permit all IP traffic, regardless of port, to any host on the 192.168.1.0/24 net. My telnet traffic matches, so it's allowed. The final "deny" statement is never evaluated. Just flip-flop your last two statements and you should be good.