Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
4
Replies

Access-List Help

Go to solution
jfraasch
Level 3
Level 3

‎03-09-2010 09:51 AM - edited ‎03-06-2019 10:04 AM

I have not done a whole lot of access-lists before.


I have Cisco 3560 switch and I need to add an access-list.  Basically I have six servers that are logged into remotely:

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

10.0.0.5

10.0.0.6

Users are able to SSH to the servers from the Corporate LAN.  However, when people get to the servers I need to make sure they get locked down.  Once logged in, I don't want them to be able to SSH, Telnet, or FTP from those boxes to another part of the network. I don't care if they monkey around on the actual subnet, but I just don't want them to be able to source SSH/FTP/Telnet from those boxes to another part of the network.

Understanding that SSH is used to reach the servers, how can I (or can I) lock this down with an access-list.


Thanks in advance for any help you can provide.


James

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jfraasch

‎03-09-2010 10:35 AM

James

No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-09-2010 10:28 AM


James

access-list 101 deny tcp host 10.0.0.1 any eq 21

access-list 101 deny tcp host 10.0.0.1 any eq 22

access-list 101 deny tcp host 10.0.0.1 any eq 23

etc.. for each 10.0.0.x host

access-list 101 permit ip any any

then on the vlan interface for 10.0.0.x network -

access-group 101 in

Note that the permit ip any any at the end allows all other traffic from the 10.0.0.x network including traffic from the servers 10.0.0.1 -> 6 that isn't ftp/ssh or telnet out to the rest of the network.

Jon

0 Helpful

Go to solution
jfraasch
Level 3
Level 3
In response to Jon Marshall

‎03-09-2010 10:31 AM

Thanks for the quick reply.


Would this however block the ability of 10.0.0.1 to SSH/Telnet to 10.0.0.2?

James

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jfraasch

‎03-09-2010 10:35 AM

James

No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.

Jon

0 Helpful

Go to solution
jfraasch
Level 3
Level 3
In response to Jon Marshall

‎03-09-2010 10:37 AM

Duh, that's what the "in" means. Like I said, access-list impaired over here!

Perfect.  Again thanks for the help.


James

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card