ACL

Answered Question
Oct 6th, 2009
User Badges:

our goal is to restrict RDP and all type of remote connection from internet to our mail server and allow only required ports


access-list 114 permit tcp any host 83.xxx.xx.xx eq domain

access-list 114 permit tcp any host 83.xxx.xx.xx eq smtp

access-list 114 permit tcp any host 83.xxx.xx.xx eq pop3

access-list 114 permit tcp any host 83.xxx.xx.xx eq 995

access-list 114 deny ip any any


fastethernet 0/1

ip address 192.168.1.1 255.255.255.0


inteface serial0/0/0

ip address 193.55.xx.xxx 255.255.255.252


ip access-group 114 in/out ????????????


in which interface should we apply this ACL , and how it should be implemented in or out


any help will be most appreciated


thank you




in which interface should we



Correct Answer by Giuseppe Larosa about 7 years 9 months ago

Hello Alaa,


I think you should apply this inbound on your serial interface but I agree it could be applied outbound DMZ interface as well.



>> notice that if the ACL was written differently it couldn't be applied anywhere. <


ignore this sometimes I make useless comments


Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paolo bevilacqua Tue, 10/06/2009 - 04:46
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Are you the end user ?


This kind of configuration, and more security advice would be better done by a reputable consultant or certified partner.

Giuseppe Larosa Tue, 10/06/2009 - 04:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ala,

I hope you are fine.


if host 83.xx.xx.xx is outside your network in the internet you can apply this ACL:


or inbound on internal interface


int fas0/1

ip access-group 114 in


OR

in outbound on external interface


int se0/0/0

ip access-group 114 out


notice that if the ACL was written differently it couldn't be applied anywhere.


Edit:

I had missed the first line of your post

>> our goal is to restrict RDP and all type of remote connection from internet to our mail server and allow only required ports


if so 83.xx.xx.xx is your server and the ACL can only be applied inbound on serial interface


int ser0/0/0

ip access-group 114 in




Hope to help

Giuseppe


alaeldien Tue, 10/06/2009 - 20:35
User Badges:

Hello Guiseppe

Thank you for always been on the spot


i also missed very important part of my configs


int fastethernet0/1 (Configured as DMZ with public ip addressEs)


ip address 83.xxx.xxx.xx 255.255.255.28


so do you think i need to apply the ACL in serial inbound or fast ethernet outboud ???


>>>>> notice that if the ACL was written differently it couldn't be applied anywhere. < ?? do you mean if its extended, can you clarify your point, it seem to be very important notice.


thank you

Alaa



Correct Answer
Giuseppe Larosa Wed, 10/07/2009 - 10:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alaa,


I think you should apply this inbound on your serial interface but I agree it could be applied outbound DMZ interface as well.



>> notice that if the ACL was written differently it couldn't be applied anywhere. <


ignore this sometimes I make useless comments


Hope to help

Giuseppe


YANGCCIE4 Tue, 10/06/2009 - 06:05
User Badges:


Hi, If this is your network topology,


rt e0 ------ f0/2 SW f0/1 ---- exchange_serv


you can apply the access-list in f0/2


this is the part of my configuration.



!



hostname rt


interface Ethernet0/0

ip address 1.1.123.1 255.255.255.0

half-duplex


hostname sw

interface FastEthernet0/1

switchport mode access

!

interface FastEthernet0/2

switchport mode access

ip access-group 114 in


access-list 114 permit tcp any host 1.1.123.5 eq domain

access-list 114 permit tcp any host 1.1.123.5 eq 993

access-list 114 permit tcp any host 1.1.123.5 eq smtp

access-list 114 permit tcp any host 1.1.123.5 eq pop3

access-list 114 deny ip any host 1.1.123.5


YANGCCIE4 Tue, 10/06/2009 - 06:48
User Badges:

as p.bevilacqua and giuslar said,the network topology is different the configuration will be different, you also can apply the acl in the pix or asa.

Hope this help.


Yang


Actions

This Discussion