dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
75
share rss forum feed


tomkb
Premium
join:2000-11-15
Tampa, FL
kudos:5
Reviews:
·Verizon FiOS
reply to tomkb

Re: Router ACL question

router2#sh run
Building configuration...

Current configuration : 3104 bytes
!
! Last configuration change at 14:20:38 est Tue Jan 26 2010 by cisco
! NVRAM config last updated at 14:20:39 est Tue Jan 26 2010 by cisco
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname router2
!
boot-start-marker
boot-end-marker
!
logging buffered 15000 debugging
enable secret 5
!
no aaa new-model
clock timezone est -5
clock summer-time edt recurring
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool pool1
network 192.168.1.0 255.255.255.0
domain-name avulant.com
dns-server 65.24.0.168 65.24.0.169
default-router 192.168.1.1
option 66 ascii "27.166.204.3"
lease 3
!
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
no ip bootp server
no ip domain lookup
ip domain name avulant.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco password 7
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voice-policy
match ip dscp ef
match ip precedence 5
match ip rtp 10000 10000
match access-group 105
!
!
policy-map voice-policy
class voice-policy
priority percent 33
class class-default
fair-queue
!
!
!
!
!
!
interface FastEthernet0/0
description outside interface
ip address 74.21.119.211 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description inside interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy output voice-policy
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 74.21.119.209
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 74.21.119.222 9991
!
no ip http server
no ip http secure-server
ip nat pool pool1 74.21.119.213 74.21.119.213 netmask 255.255.255.240
ip nat inside source list 1 pool pool1 overload
ip nat inside source static 192.168.1.45 74.21.119.220 extendable
ip nat inside source static 192.168.1.50 74.21.119.222 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit tcp any host 74.21.119.222 eq smtp
access-list 101 permit udp any host 74.21.119.220 eq 3389
access-list 101 permit ip any any
access-list 105 permit udp any any eq 4569
access-list 105 permit udp any any eq 5060
access-list 105 permit tcp any any eq 5060
access-list 105 permit ip any any tos min-delay
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
password 7
login
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179939
ntp master
ntp server 64.73.32.134
end

router2#



Angralitux

join:2004-05-20
DO

like someone else said, if you're going to use ACL on outside interface, you have to enable the CBAC FW. Usually on this ACL you just put the services you want enabled, every other kind of traffic that didnt originated inside, will be blocked.
--
All Is possible...



Angralitux

join:2004-05-20
DO

2 edits
reply to tomkb

if you add the following lines to your config:

ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
.
.
interface FastEthernet0/0
ip inspect myfw out
 

you may remove the
access-list 101 permit ip any any
 
**Edited to improve formatting**


carp
Rejected

join:2002-10-30

said by Angralitux:

if you add the following lines to your config:

ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
.
.
interface FastEthernet0/0
ip inspect myfw out
you may remove the
access-list 101 permit ip any any
Won't that kill all internet access?


Angralitux

join:2004-05-20
DO

1 edit

why would I want to do that?

Also, note these lines:

access-list 101 permit tcp any host 74.21.119.222 eq smtp
access-list 101 permit udp any host 74.21.119.220 eq 3389
 

OP, if you want to allow these services to a particular ip, you'll have to modify them. What I mean is:

1. To allow ip's 74.21.119.222 & 74.21.119.220 to access smtp & RDP respectively, you would do:
access-list 101 permit tcp host 74.21.119.222 any eq smtp
access-list 101 permit udp host 74.21.119.220 any eq 3389
 

2. To allow smtp & RDP to be accessed from outside you would do:
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq 3389
 
or you can replace the last any with the ip of the server you want to get to.


tomkb
Premium
join:2000-11-15
Tampa, FL
kudos:5
Reviews:
·Verizon FiOS

said by Angralitux:

why would I want to do that?

Also, note these lines:

access-list 101 permit tcp any host 74.21.119.222 eq smtp
access-list 101 permit udp any host 74.21.119.220 eq 3389
 

OP, if you want to allow these services to a particular ip, you'll have to modify them. What I mean is:

1. To allow ip's 74.21.119.222 & 74.21.119.220 to access smtp & RDP respectively, you would do:
access-list 101 permit tcp host 74.21.119.222 any eq smtp
access-list 101 permit udp host 74.21.119.220 any eq 3389
 

2. To allow smtp & RDP to be accessed from outside you would do:
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq 3389
 
or you can replace the last any with the ip of the server you want to get to.
angralitux, I simply want to allow internet traffic inbound to those 2 servers only. Wouldn't they be ok as written?