Status Acl

Status: Setting up basic ACL's on Cisco 2600
OK, I have a small project I'm working on. To start with, here's the basic network map:
I'm looking to set up some very basic access control lists for using the router as a firewall. (This is a requirement for the class I'm doing this for, so don't ask me why I'm not using a regular firewall.) Since we're only dealing with these three servers (web, email and FTP), we're only concerned with ports 80, 25, 20/21 and 110. However, Windows ephemeral ports 49151-65535 have to be considered as well. Here's what I have so far:
Code:
!Access List #1 !Applied to e0/0 ! Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list ! ! !end
1 1 1 1 1 1 1
permit tcp any eq 80 permit tcp any eq 25 permit tcp any eq 110 permit tcp any eq 20 permit tcp any eq 21 permit tcp any range 49151-65535 deny ip any any
!Access List #2 !Applied to e0/1 ! Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list ! ! !end
2 2 2 2 2 2 2 2
permit tcp any eq 80 permit tcp any eq 25 deny tcp any eq 110 permit tcp any eq 20 permit tcp any eq 21 permit tcp any range 49151-65535 permit icmp any any deny ip any any
Am I on the right track here? I don't want to be missing something huge.

__________________ i7 3930K ~ Asus P9X79 Pro DD D5 with EK X-top Rev. 2, Heatkiller CU 3.0 Nickel, BIX Quad Radiator Triple 7970's with EK FC-7970 CSQ nickel/acetal blocks & FC-link ~ 4 x 8GB Corsair Dominator GT DDR3-1866 Dual Corsair Force 120GB in Raid 0 ~ Lite-On BluRay Reader ~ Corsair AX1200 Power Supply ~ Silverstone TJ07
#2 05-08-2008, 08:17 AM
Fint [H]ard|Gawd, 9.2 Years Your syntax is wrong for an ACL. RTI-VB(config)#access-list 2 permit tcp any eq 80 Translating "tcp" ^ % Invalid input detected at '^' marker. RTI-VB(config)#access-list 2 permit ? Hostname or A.B.C.D Address to match any Any source host host A single host address
Status:
There is usually no point in blocking at both interfaces.

#3 05-08-2008, 01:02 PM
blk95civicex Limp Gawd, 10.6 Years
Status:
I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to me like all of those ports are open to any of the servers. Something like below maybe?? ********** !Access List #2 !Applied to e0/1 ! Router(config)# access-list 2 deny tcp any any eq 110 Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80 Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20
Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21 Router(config)# access-list 2 permit tcp any range 49151-65535 Router(config)# access-list 2 permit icmp any any Router(config)# access-list 2 deny ip any any ! ! !end ********** Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have helped, but no gaurantees
#4 05-08-2008, 01:43 PM
Impulse25 n00bie, 7.6 Years
Status:
If you want to block explicit ports you have to use an extended access list which are numbered 100199: i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or network only i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1
#5 05-08-2008, 01:59 PM
blk95civicex Limp Gawd, 10.6 Years Ah yes, I forgot to change the access-list name in my example.
#6 05-08-2008, 02:05 PM
Status:
t_ski [H]ardness Supreme, 7.2 Years

Quote:
Status:
Originally Posted by Fint There is usually no point in blocking at both interfaces. I forgot to mention that these were being applied to the "in" side of each of the ports. Port e0/0 was traffic from the internet through the router to the DMZ/LAN. Port e0/1 was traffice from the DMZ/LAN through the router to the internet. I think I need a statement to apply the access-group as well. Something like:
Code:
(Config)# int e0/0 Router(config-if)# ip access-group 100 in (Config)# int e0/1 Router(config-if)# ip access-group 101 in
Quote:
Originally Posted by blk95civicex I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to me like all of those ports are open to any of the servers. Something like below maybe?? ********** !Access List #2 !Applied to e0/1 ! Router(config)# access-list 2 deny tcp any any eq 110 Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80 Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21 Router(config)# access-list 2 permit tcp any range 49151-65535 Router(config)# access-list 2 permit icmp any any Router(config)# access-list 2 deny ip any any ! ! !end ********** Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have helped, but no gaurantees Yes, that makes sense. That just gets applied to the e0/1 inteface, or on both sides?
Quote:
Originally Posted by Impulse25 If you want to block explicit ports you have to use an extended access list which are numbered 100-199: i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or network only i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1 OK, that clears up the info I was reading. I didn't understand the difference between standard and extended access lists. So how about this for the new text:
Code:
!Access List #100 !Applied to e0/0 coming in from ! Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 ! !
the internet permit tcp any eq 80 permit tcp any eq 25 permit tcp any eq 110 permit tcp any eq 20 permit tcp any eq 21 permit tcp any range 49151-65535 deny ip any any
!end
!Access List #101 !Applied to e0/1 going out of the DMZ ! Router(config)# access-list 101 deny tcp any eq 110 Router(config)# access-list 101 permit tcp any host 10.20.1.1 eq Router(config)# access-list 101 permit tcp any host 10.20.1.2 eq Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq Router(config)# access-list 101 permit tcp any range 49151-65535 Router(config)# access-list 101 permit icmp any any Router(config)# access-list 101 deny ip any any ! ! !end
80 25 20 21
I know I'm supposed to deny a local ip address from accessing the network from the internet. Should I add the folllowing to ACL #100:
Code:
Router(config)# access-list 100 deny host 10.20.0.0 255.255.255.0 any

__________________ i7 3930K ~ Asus P9X79 Pro DD D5 with EK X-top Rev. 2, Heatkiller CU 3.0 Nickel, BIX Quad Radiator Triple 7970's with EK FC-7970 CSQ nickel/acetal blocks & FC-link ~ 4 x 8GB Corsair Dominator GT DDR3-1866 Dual Corsair Force 120GB in Raid 0 ~ Lite-On BluRay Reader ~ Corsair AX1200 Power Supply ~ Silverstone TJ07

Status Acl

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Status Acl

Diunggah oleh

Hak Cipta:

Format Tersedia

Status: Setting up basic ACL's on Cisco 2600

Am I on the right track here? I don't want to be missing something huge.

There is usually no point in blocking at both interfaces.

blk95civicex Limp Gawd, 10.6 Years

Impulse25 n00bie, 7.6 Years

t_ski [H]ardness Supreme, 7.2 Years

Router(config)# access-list 100 deny host 10.20.0.0 255.255.255.0 any

Anda mungkin juga menyukai