04-04-2008 12:51 PM - edited 03-11-2019 05:27 AM
I want to apply an access list on a port to allow a single ip to access internal computers on specific ports
Internal Host IP 192.168.1.5.2
External Host attached to specific Router port :173.0.0.1
Permissioned Ports 10111
Let me know how to achieve this
Solved! Go to Solution.
04-07-2008 11:58 AM
The config for the switch looks good. I would drop off the "deny ip any any" as I believe its implicit.
All in all it looks good!
04-04-2008 01:00 PM
access-list inbound extended permit tcp host 173.0.0.1 host 192.168.1.52 eq 10111
access-list inbound extended permit udp host 173.0.0.1 host 192.168.1.52 eq 10111
This is to apply the access control on the specific interface:
access-group inbound in interface outside
"Inbound" is the ACL you're working on for inbound traffic. Interface "outside" is the actual interface name assigned for the outside.
04-05-2008 03:19 PM
Thanks Chickman
But what if i want to allow a list of ports do i have to make seperate access lists and what the command to allow that access list on port 37
04-05-2008 05:04 PM
Very easy solution, create an "object-group service". It will look something like this:
object-group service Sample "Whatever you want to name it really"
Description "Whatever you want"
object-port eq 37
object-port eq 10111
object-port eq "What other port you want"
The access list will look something like this
access-list outbound remark "Whatever this is for"
access-list inbound extended permit tcp host 173.0.0.1 host 192.168.1.52 object-group service Sample
access-list inbound extended permit udp host 173.0.0.1 host 192.168.1.52 object-group service Sample
Also, I would suggest adding a remark statement. This would allow you to add a description to the ACL as well. You can place the remarks pretty much anywhere in your access-list.
I hope this is more along the lines of what you were looking for.
04-06-2008 04:24 AM
ok Thanks well so the config will be like this
object group service XYZ
Description XYZ Ports
object-port eq 10111
object-port eq 10112
object-port eq 10113
object-port eq 10311
object-port eq 10313
access-list inbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ
access-list inbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ
access-list outbound extended deny any any object-group service XYZ
access-list outbound extended permit any any
object group service WEB
Description WEB
object-port eq 443
access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB
access-list outbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB
access-list outbound extended deny any any object-group service WEB
access-list outbound extended permit any any
object group service Test
Description TEST Server Ports
object-port eq 12700
access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST
access-list outbound extended permit UDP host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST
access-list outbound extended deny any any object-group service TEST
access-list outbound extended permit any any
Now let me know 2 things are these configs going to work on Cisco 3550 and how can i apply all these on a single physical port
Thanks for your help
04-06-2008 08:09 PM
Ok, I would suggest object group nesting for something like this. If you essentially need to separate these ports that is. Should look something like this:
object group service OUTSIDENAME
Description OUTSIDE_ACCESS_IN
group-object XYZ
group-object WEB
group-object Test
This way you'll only require 4 lines in your ACL as opposed to 12.
access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.22 object-group service OUTSIDENAME
access-list outbound extended permit UDP host 173.0.0.1 host xxx.xxx.xxx.22 object-group service OUTSIDENAME
access-list outbound extended deny any any object-group service OUTSIDENAME
access-list outbound extended permit any any
The documentation for this can be found here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
I've not configured a 3550 for this myself, but know it does do layer3 routing. As such, it is capable of doing ACL's and other features. It will be pretty limited though.
You'll first need to create your ACL in the same fashion you would on a firewall.
Example:
Switch(config)# ip access-list extended outbound
Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet
Switch(config-ext-nacl)# deny tcp any any
Switch(config-ext-nacl)# permit icmp any any
Switch(config-ext-nacl)# deny udp any 171.69.0.0 0.0.255.255 lt 1024
Switch(config-ext-nacl)# deny ip any any log ** Logging this is totally up to you.
Switch(config-ext-nacl)# exit
Now you'll need to apply it to the interface you are wanting to restrict access from. Remember this interface will require an IP address.
Sample:
Switch(config)# interface gigabitethernet0/3
Switch(config-if)# ip access-group outbound in
You can find more on this at the following: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configuration/guide/swacl.html#
I hope this helped a little.
04-06-2008 08:26 PM
Just a quick question, is this traffic inbound or outbound to the outside interface.
The reason I ask is because I'm reviewing your comments and I see you've put "outbound" on the ACL's. Just make sure you remember what interface and what direction you're placing the ACL for effectiveness.
04-07-2008 10:26 AM
Let me know about the following configs
access-list 100 permit tcp host 173.0.0.1(client IP) host xxx.xxx.xxx.14 range 10111 101113
access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10311
access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10313
access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 443
access-list 100 permit tcp host 173.0.0.1
host xxx.xxx.xxx.14 eq 12700
access-list 100 deny ip any any
interface F0/37
ip access-group 100 in
04-07-2008 11:58 AM
The config for the switch looks good. I would drop off the "deny ip any any" as I believe its implicit.
All in all it looks good!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide