Need advice on extended ACL

Unanswered Question
Jun 16th, 2008
User Badges:

I have placed a 2801 router at a competitor/customer site that is involved in a joint project. We have set up a server for them to use as a share drive. I am trying to place a very tight ACL to only give them access to the IP I know it's easier to build in the SDM but I want to learn how to effectively do it manually. This is an example of what I came up with. Please don't laugh it's my first ACL.

access-list 101 permit ip any host

access-list 101 permit icmp any host

access-list 101 permit tcp any host

access-list 101 permit udp any host

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Mon, 06/16/2008 - 09:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


The first line

access-list 101 permit ip any host

is the only one you need because the "permit ip" covers icmp/tcp & udp.

But even the first line is somewhat open. Do you know the customer subnet range and do you know what they want to access on your server.

So for example if there local network was and they wanted to use http & telnet

access-list 101 permit tcp host eq 23

access-list 101 permit tcp host eq 80

There is nothing wrong with using the "permit ip", you just need to be aware of what it is allowing.


HoustonG33K Mon, 06/16/2008 - 10:41
User Badges:

Jon, they are only accessing a drive on the server. I want to lock it down so that they don't see anything else on the network accept for the drive on . I was going to apply it in on the serial/T1 out.

Thank you very much for the help.


This Discussion