Access-List Help

Answered Question
Mar 9th, 2010

I have not done a whole lot of access-lists before.


I have Cisco 3560 switch and I need to add an access-list.  Basically I have six servers that are logged into remotely:

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

10.0.0.5

10.0.0.6

Users are able to SSH to the servers from the Corporate LAN.  However, when people get to the servers I need to make sure they get locked down.  Once logged in, I don't want them to be able to SSH, Telnet, or FTP from those boxes to another part of the network. I don't care if they monkey around on the actual subnet, but I just don't want them to be able to source SSH/FTP/Telnet from those boxes to another part of the network.

Understanding that SSH is used to reach the servers, how can I (or can I) lock this down with an access-list.


Thanks in advance for any help you can provide.


James

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 9 months ago

James

No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 03/09/2010 - 10:28

James

access-list 101 deny tcp host 10.0.0.1 any eq 21

access-list 101 deny tcp host 10.0.0.1 any eq 22

access-list 101 deny tcp host 10.0.0.1 any eq 23

etc.. for each 10.0.0.x host

access-list 101 permit ip any any

then on the vlan interface for 10.0.0.x network -

access-group 101 in

Note that the permit ip any any at the end allows all other traffic from the 10.0.0.x network including traffic from the servers 10.0.0.1 -> 6 that isn't ftp/ssh or telnet out to the rest of the network.

Jon

jfraasch Tue, 03/09/2010 - 10:31

Thanks for the quick reply.


Would this however block the ability of 10.0.0.1 to SSH/Telnet to 10.0.0.2?

James

Correct Answer
Jon Marshall Tue, 03/09/2010 - 10:35

James

No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.

Jon

jfraasch Tue, 03/09/2010 - 10:37

Duh, that's what the "in" means. Like I said, access-list impaired over here!

Perfect.  Again thanks for the help.


James

Actions

This Discussion