Need advice on extended ACL

Unanswered Question
Jun 16th, 2008
User Badges:

I have placed a 2801 router at a competitor/customer site that is involved in a joint project. We have set up a server for them to use as a share drive. I am trying to place a very tight ACL to only give them access to the IP 10.20.200.11. I know it's easier to build in the SDM but I want to learn how to effectively do it manually. This is an example of what I came up with. Please don't laugh it's my first ACL.


access-list 101 permit ip any host 10.20.200.11

access-list 101 permit icmp any host 10.20.200.11

access-list 101 permit tcp any host 10.20.200.11

access-list 101 permit udp any host 10.20.200.11

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 06/16/2008 - 09:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Donnie


The first line


access-list 101 permit ip any host 10.20.200.11


is the only one you need because the "permit ip" covers icmp/tcp & udp.


But even the first line is somewhat open. Do you know the customer subnet range and do you know what they want to access on your server.


So for example if there local network was 192.168.5.0/24 and they wanted to use http & telnet


access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 23

access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 80


There is nothing wrong with using the "permit ip", you just need to be aware of what it is allowing.


Jon

HoustonG33K Mon, 06/16/2008 - 10:41
User Badges:

Jon, they are only accessing a drive on the server. I want to lock it down so that they don't see anything else on the network accept for the drive on 10.20.200.11 . I was going to apply it in on the serial/T1 out.


Thank you very much for the help.

Actions

This Discussion