ACL

Answered Question
Oct 6th, 2009

our goal is to restrict RDP and all type of remote connection from internet to our mail server and allow only required ports

access-list 114 permit tcp any host 83.xxx.xx.xx eq domain

access-list 114 permit tcp any host 83.xxx.xx.xx eq smtp

access-list 114 permit tcp any host 83.xxx.xx.xx eq pop3

access-list 114 permit tcp any host 83.xxx.xx.xx eq 995

access-list 114 deny ip any any

fastethernet 0/1

ip address 192.168.1.1 255.255.255.0

inteface serial0/0/0

ip address 193.55.xx.xxx 255.255.255.252

ip access-group 114 in/out ????????????

in which interface should we apply this ACL , and how it should be implemented in or out

any help will be most appreciated

thank you

in which interface should we

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 3 months ago

Hello Alaa,

I think you should apply this inbound on your serial interface but I agree it could be applied outbound DMZ interface as well.

>> notice that if the ACL was written differently it couldn't be applied anywhere. <

ignore this sometimes I make useless comments

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Paolo Bevilacqua Tue, 10/06/2009 - 04:46

Are you the end user ?

This kind of configuration, and more security advice would be better done by a reputable consultant or certified partner.

Giuseppe Larosa Tue, 10/06/2009 - 04:49

Hello Ala,

I hope you are fine.

if host 83.xx.xx.xx is outside your network in the internet you can apply this ACL:

or inbound on internal interface

int fas0/1

ip access-group 114 in

OR

in outbound on external interface

int se0/0/0

ip access-group 114 out

notice that if the ACL was written differently it couldn't be applied anywhere.

Edit:

I had missed the first line of your post

>> our goal is to restrict RDP and all type of remote connection from internet to our mail server and allow only required ports

if so 83.xx.xx.xx is your server and the ACL can only be applied inbound on serial interface

int ser0/0/0

ip access-group 114 in

Hope to help

Giuseppe

alaeldien Tue, 10/06/2009 - 20:35

Hello Guiseppe

Thank you for always been on the spot

i also missed very important part of my configs

int fastethernet0/1 (Configured as DMZ with public ip addressEs)

ip address 83.xxx.xxx.xx 255.255.255.28

so do you think i need to apply the ACL in serial inbound or fast ethernet outboud ???

>>>>> notice that if the ACL was written differently it couldn't be applied anywhere. < ?? do you mean if its extended, can you clarify your point, it seem to be very important notice.

thank you

Alaa

Correct Answer
Giuseppe Larosa Wed, 10/07/2009 - 10:16

Hello Alaa,

I think you should apply this inbound on your serial interface but I agree it could be applied outbound DMZ interface as well.

>> notice that if the ACL was written differently it couldn't be applied anywhere. <

ignore this sometimes I make useless comments

Hope to help

Giuseppe

YANGCCIE4 Tue, 10/06/2009 - 06:05

Hi, If this is your network topology,

rt e0 ------ f0/2 SW f0/1 ---- exchange_serv

you can apply the access-list in f0/2

this is the part of my configuration.

!

hostname rt

interface Ethernet0/0

ip address 1.1.123.1 255.255.255.0

half-duplex

hostname sw

interface FastEthernet0/1

switchport mode access

!

interface FastEthernet0/2

switchport mode access

ip access-group 114 in

access-list 114 permit tcp any host 1.1.123.5 eq domain

access-list 114 permit tcp any host 1.1.123.5 eq 993

access-list 114 permit tcp any host 1.1.123.5 eq smtp

access-list 114 permit tcp any host 1.1.123.5 eq pop3

access-list 114 deny ip any host 1.1.123.5

YANGCCIE4 Tue, 10/06/2009 - 06:48

as p.bevilacqua and giuslar said,the network topology is different the configuration will be different, you also can apply the acl in the pix or asa.

Hope this help.

Yang

Actions

This Discussion