03-09-2010 09:51 AM - edited 03-06-2019 10:04 AM
I have not done a whole lot of access-lists before.
I have Cisco 3560 switch and I need to add an access-list. Basically I have six servers that are logged into remotely:
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
Users are able to SSH to the servers from the Corporate LAN. However, when people get to the servers I need to make sure they get locked down. Once logged in, I don't want them to be able to SSH, Telnet, or FTP from those boxes to another part of the network. I don't care if they monkey around on the actual subnet, but I just don't want them to be able to source SSH/FTP/Telnet from those boxes to another part of the network.
Understanding that SSH is used to reach the servers, how can I (or can I) lock this down with an access-list.
Thanks in advance for any help you can provide.
James
Solved! Go to Solution.
03-09-2010 10:35 AM
James
No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.
Jon
03-09-2010 10:28 AM
James
access-list 101 deny tcp host 10.0.0.1 any eq 21
access-list 101 deny tcp host 10.0.0.1 any eq 22
access-list 101 deny tcp host 10.0.0.1 any eq 23
etc.. for each 10.0.0.x host
access-list 101 permit ip any any
then on the vlan interface for 10.0.0.x network -
access-group 101 in
Note that the permit ip any any at the end allows all other traffic from the 10.0.0.x network including traffic from the servers 10.0.0.1 -> 6 that isn't ftp/ssh or telnet out to the rest of the network.
Jon
03-09-2010 10:31 AM
Thanks for the quick reply.
Would this however block the ability of 10.0.0.1 to SSH/Telnet to 10.0.0.2?
James
03-09-2010 10:35 AM
James
No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.
Jon
03-09-2010 10:37 AM
Duh, that's what the "in" means. Like I said, access-list impaired over here!
Perfect. Again thanks for the help.
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide