Complicated Access List - Cisco Community

676

Views

0

Helpful

2

Replies

I want to apply the following configurations on Cisco 3550 Fast Ethernet 0/35 interface to allow perticular ports to my client connected through the interface

Client IP 173.0.0.1

My Servers IP xxx.xxx.xxx.14-21-22

object group service XYZ

Description XYZ Ports

object-port eq 10111

object-port eq 10112

object-port eq 10113

object-port eq 10311

object-port eq 10313

access-list inbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ

access-list inbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ

access-list outbound extended deny any any object-group service XYZ

access-list outbound extended permit any any

object group service WEB

Description WEB

object-port eq 443

access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB

access-list outbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB

access-list outbound extended deny any any object-group service WEB

access-list outbound extended permit any any

object group service Test

Description TEST Server Ports

object-port eq 12700

access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST

access-list outbound extended permit UDP host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST

access-list outbound extended deny any any object-group service TEST

access-list outbound extended permit any any

Now let me know 2 things are these configs going to work on Cisco 3550 and how can i apply all these on a single physical interface or is there any better way to perform the specified task

Thanks for your help

2 Replies 2

Hi

first i should say that this kind of access-list is for ASA or PIX,i mean you cant use "object group" and "object port" in your 3550 switch.

so you need to change it to a form which you switch takes and runs your commands.

its a way how to apply it :

first enable ip routing :

switch# Configure terminal

switch (configure) Ip routing

now change your access list to this ,i issue one for you for an example :

access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 range 10111 101113

ok.

then we need apply the access list to interface or vlan ,here is your second answer :

if you want apply it to one interface so you should change the layer 2 behavior to 3 ,i mean should do this :

Example :

interface fa0/10

no switchport

and then assign an ip address :

ip address x.x.x.x x.x.x.x

here is the direction of your access list

ip access-group 100 in or out

by this way you can only assign your access list to one port,another way is to assign an ip address and access list to a SVI or a layer 3 vlan which contains one or two or more ports,i think the second way is better.

its very easy ,just do this :

Interface vlan x

ip address x.x.x.x x.x.x.x

ip access-group 100 in or out

Good Luck and have a Good Configuration.

Please rate helpful messages

Regards B.mozaffari

Do the following configs looks fine

access-list 100 permit tcp host 173.0.0.1(client IP) host xxx.xxx.xxx.14 range 10111 101113

access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10311

access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10313

access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 443

access-list 100 permit tcp host 173.0.0.1

host xxx.xxx.xxx.14 eq 12700

access-list 100 deny ip any any

interface F0/37

ip access-group 100 in

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community