Help with access list (pasted below)

Unanswered Question
Apr 8th, 2008

Hi,

Can someone explain part of this access list I'm not sure if I need it. The access list is called "inbound_acl"

And I need to know what the below achieves:

permit tcp 80.71.156.64 0.0.0.31 any eq telnet

permit tcp 80.71.156.64 0.0.0.31 any eq 22

permit tcp 80.71.156.64 0.0.0.31 any eq ftp-data

permit tcp 80.71.156.64 0.0.0.31 any eq ftp

permit tcp 80.71.156.64 0.0.0.31 any eq www

permit tcp 80.71.156.64 0.0.0.31 any eq 443

80.71.156.64 and upwards is our external IP range (firewall etc)

Access List:

ip access-list extended inbound_acl

permit udp any any eq isakmp

permit esp any any

deny icmp any any timestamp-request

deny icmp any any timestamp-reply

permit icmp any any

permit udp any any eq ntp

permit tcp 80.71.156.64 0.0.0.31 any eq telnet

permit tcp 80.71.156.64 0.0.0.31 any eq 22

permit tcp 80.71.156.64 0.0.0.31 any eq ftp-data

permit tcp 80.71.156.64 0.0.0.31 any eq ftp

permit tcp 80.71.156.64 0.0.0.31 any eq www

permit tcp 80.71.156.64 0.0.0.31 any eq 443

permit ip 192.168.20.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.90.0 0.0.0.255 172.19.8.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 172.19.8.0 0.0.0.255

interface Dialer1

ip address negotiated

ip access-group inbound_acl in

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ****

ppp chap password 0 ****

ppp pap sent-username **** password 0 ****

crypto map CSO_Crypto_Map

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 04/08/2008 - 04:01

Andy

The part of your question about what that section of access list does is fairly simple to answer but the part about whether you need it requires understanding of your environment that you have not provided. What the access list does is to provide a specific subnet (which you identify as your external IP range) with access to any destination address for Telnet, SSH, FTP, and web (both HTTP and HTTPS).

You show the access list being assigned inbound on the dialer interface. But we do not know what device this is on and we do not know whether your external IP range is really outside on your dialer interface. So we do not know whether you need this part of the access list on this interface. I also find it a bit odd that this access list permits 4 specific TCP protocols but no other IP access (no DNS, no ICMP or UDP) so the access list provides only very limited functionality for your external IP range. Perhaps that is what was intended - or perhaps not - we just do not know.

HTH

Rick

Actions

This Discussion