ACL Help!

Unanswered Question
Feb 23rd, 2007

Dear All!

I have Cisco 2821 installed in my company. In this box

interface Serial0

ip address xxx.xxx.125.142 255.255.255.252

and the ISP has aloted 8 Ip pool for our server usages. that is xxx.xxx.125.144 255.255.255.248.

I want to impelement ACL on Serial 0 at with

ip access-group 115 in. And I want only required IP pool traffic out from serial interface and in last line don't want to right line ip permit any any. I want to implicite deny all other traffic. with this line access-list 115 deny ip any any.

I hope you will be understand what I actually want to implement in this ACL.

waiting your favaourable reply.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I don't understand your question ...

You want an outbound ACL for xxx.xxx.125.144 255.255.255.248 ?

So:

- what are the IP's that are allowed to talk to the inside?

- What are the IP's that are allowed to talk to the outside?

The ACL need to be implemented on S0

The ACL name has to be 115

#########################################

#If you find this post usefull

#please don't forget to rate this

#########################################

#Iwan Hoogendoorn

#CCIE#13084

#########################################

royalblues Fri, 02/23/2007 - 00:53

friend,

You can use the following access-list

access-list 115 permit ip x.x.125.144 0.0.0.7 any

interface serial 0

ip access-group 115 out

This will allow traffic only from the subnet mentioned out of the interface. all other traffic will be implicitly denied.

HTH, rate if it does

Narayan

Anonymous (not verified) Fri, 02/23/2007 - 01:44

Dear Iwan!

As I have told we have public IP Pool:

You want an outbound ACL for xxx.xxx.125.144 255.255.255.248

I want these server which are using above IP Pool IP Out from Serial and can get any service e,g able to use internet and make vpn to head office. like this ACL line which will clear u all:

access-list 115 permit ip xxx.xxx.125.144 0.0.0.7 any

This host will be able to ping out side any machine.

access-list 115 permit icmp host xxx.xxx.125.148 any echo

access-list 115 permit icmp host xxx.xxx.125.148 any echo-reply

Only One Machine/Host on Branch office can ping my serial 0 IP address:

access-list 115 permit icmp host xxx.xxx.12.80 host xxx.xxx.125.142 echo

access-list 115 permit icmp host 2xxx.xxx.12.80 host xxx.xxx.125.142 echo-reply

access-list 115 deny ip 127.0.0.0 0.255.255.255 any

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

access-list 115 deny tcp any any eq 137

access-list 115 deny tcp any any eq 138

access-list 115 deny tcp any any eq 139

access-list 115 deny tcp any any eq 445

access-list 115 deny tcp any any eq 593

access-list 115 deny udp any any eq 1434

access-list 115 deny tcp any any eq 4444

access-list 115 deny udp any any eq netbios-ns

access-list 115 deny udp any any eq netbios-dgm

access-list 115 deny udp any any eq netbios-ss

access-list 115 deny tcp any any eq telnet

access-list 115 deny udp any any eq tftp

access-list 115 deny icmp any any

access-list 115 deny ip any any

interface Serial0

ip access-group 115 in

if u want to any addtional information. U can ask.

Actions

This Discussion