kracksmith
join:2004-07-14
Fullerton, CA
1 edit | access list permit question
Hey guys, I've done this before and i should know this but I just can't remember.
I'm creating a inbound access list to denied a bunch of things.
I do want to allow certain ports to any host in the LAN.
I type this command: access-list 101 permit tcp any host eq 21 !ftp
and on 12.4 it's saying it can't recognize "eq". 12.4 doesn't know what Equal means or is there another word for this?
This is what I'm denying:
access-list 101 deny 53 any any log-input
access-list 101 deny 55 any any log-input
access-list 101 deny 77 any any log-input
access-list 101 deny pim any any log-input
access-list 101 deny ip 0.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 169.254.0.0 0.0.255.255 any log-input
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 101 deny ip 224.0.0.0 15.255.255.255 any log-input
access-list 101 deny ip host 255.255.255.255 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
This is what I want to allow.
access-list 101 permit tcp any host eq 21 !ftp
access-list 101 permit tcp any host eq 20 !ftp-data
access-list 101 permit ip any any
ip access-group 101 in (I'll apply this in the interface)
What is the correct command to allow certain ports to a certain host? |
|
elnino
join:2006-08-27
Akron, OH
1 edit | said by kracksmith  :access-list 101 permit tcp any host eq 21 !ftp access-list 101 permit tcp any host eq 20 !ftp-data access-list 101 permit ip any any You'll probably kick yourself it's so easy.....
access-list 101 permit tcp any host DESTINATION_IP_NEEDED_HERE eq 21 !ftp
access-list 101 permit tcp any host DESTINATION_IP_NEEDED_HERE eq 20 !ftp-data
You specified the source address (any) but no destination IP address.
Edit: Forgot to mention, if your ASA has a dynamic IP, you'll want to change "host" to "any". |
|
kracksmith
join:2004-07-14
Fullerton, CA | geez, it's really been a long time. I'm just trying to bring it up from memory. are the equal signs below correct?
ip access-group 101 in = outbound policy
ip access-group 101 out = inbound policy |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs: | It depends on the interface you configure that on. If you configure those rules on the "inside" interface then yes. If you configure them on what would be considered the "outside" interface then no. |
|
kracksmith
join:2004-07-14
Fullerton, CA
| this is getting confusing now. I wonder what matters which interface it is that changes rules. i'm planning to use this on the inside interface though so my statement above is true.
if it's the outside interface what makes it change the rules?
I always though a rule is a rule and we have to stand by one set or rules.
so if i have a router routing 4 different LAN private subnets, how can i tell which one is the inside interface and which one is the outside interface?
also how do you define a outside interface? a interface facing the ISP running a public? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| You have 2 different ACLs with 2 different policies for inbound or outbound traffic. The direction that the ACL is applied to an interface makes all the difference in the world. If you apply what you would consider to be the outbound policy "in" on the outside interface it wouldn't do you any good. In fact, it would kill your connection. |
|
kracksmith
join:2004-07-14
Fullerton, CA
| you know what, that is exactly what had happen today. i had to reboot the router to get back into my config.
i still dont' understand how you define outside and inside interface.
i have a routing behind a firewall going into 4 subnets. how can I tell which is the outside interface or inside interface.
or does a outside interface defined as the interface facing the ISP with a public IP? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| It is what you "want" it to be. Pick. Generally speaking, a logically minided person would choose the outside interface to be the one that is connected towards the Internet Service Provider side and vice-versa. So your inbound ACL policy would be applied "in" on the outside interface. |
|
jester121
Premium
join:2003-08-09
Lake Zurich, IL
 ·surpasshosting
 ·ViaTalk
| reply to kracksmith
Absolutely one of the most confusing things in the Cisco world, other than jumping from IOS to PIX and having to re-tilt my brain.
Cisco's docs (and tests too, I'd imagine) usually don't use nice RFC1918 addresses and break things down nice and easy like "LAN" and "internet". They're always off with weird IP address schemes that don't look like anything most people have ever seen. Of course the concepts are the same, but it doesn't help when you're trying to quickly skim an example to see what it does. |
|
