04-06-2008 04:42 AM
I want to apply the following configurations on Cisco 3550 Fast Ethernet 0/35 interface to allow perticular ports to my client connected through the interface
Client IP 173.0.0.1
My Servers IP xxx.xxx.xxx.14-21-22
object group service XYZ
Description XYZ Ports
object-port eq 10111
object-port eq 10112
object-port eq 10113
object-port eq 10311
object-port eq 10313
access-list inbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ
access-list inbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ
access-list outbound extended deny any any object-group service XYZ
access-list outbound extended permit any any
object group service WEB
Description WEB
object-port eq 443
access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB
access-list outbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB
access-list outbound extended deny any any object-group service WEB
access-list outbound extended permit any any
object group service Test
Description TEST Server Ports
object-port eq 12700
access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST
access-list outbound extended permit UDP host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST
access-list outbound extended deny any any object-group service TEST
access-list outbound extended permit any any
Now let me know 2 things are these configs going to work on Cisco 3550 and how can i apply all these on a single physical interface or is there any better way to perform the specified task
Thanks for your help
04-06-2008 06:30 AM
Hi
first i should say that this kind of access-list is for ASA or PIX,i mean you cant use "object group" and "object port" in your 3550 switch.
so you need to change it to a form which you switch takes and runs your commands.
its a way how to apply it :
first enable ip routing :
switch# Configure terminal
switch (configure) Ip routing
now change your access list to this ,i issue one for you for an example :
access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 range 10111 101113
ok.
then we need apply the access list to interface or vlan ,here is your second answer :
if you want apply it to one interface so you should change the layer 2 behavior to 3 ,i mean should do this :
Example :
interface fa0/10
no switchport
and then assign an ip address :
ip address x.x.x.x x.x.x.x
here is the direction of your access list
ip access-group 100 in or out
by this way you can only assign your access list to one port,another way is to assign an ip address and access list to a SVI or a layer 3 vlan which contains one or two or more ports,i think the second way is better.
its very easy ,just do this :
Interface vlan x
ip address x.x.x.x x.x.x.x
ip access-group 100 in or out
Good Luck and have a Good Configuration.
Please rate helpful messages
Regards B.mozaffari
04-07-2008 10:25 AM
Do the following configs looks fine
access-list 100 permit tcp host 173.0.0.1(client IP) host xxx.xxx.xxx.14 range 10111 101113
access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10311
access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10313
access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 443
access-list 100 permit tcp host 173.0.0.1
host xxx.xxx.xxx.14 eq 12700
access-list 100 deny ip any any
interface F0/37
ip access-group 100 in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide