×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access-List Confusion

Unanswered Question

OK, I probably have lost my mind, but I cannot get this to work!


SERIAL 0/0 A.A.A.A 255.255.255.252

FastEthernet 0/0 Legitimate Class C B.B.B.0 255.255.255.0

FastEthernet 0/1 Class 10.1.1.0 255.255.255.0

Serial 0/2 10.101.101.105


Serial 0/0 is NAT overloaded for 10.1.1.0

B.B.B.0 remains clear IP addresses


I have an extended access list number 103 which denies the usual hacks

such as 16669 and SQL Server scans 1433, etc. I have applied this to

SER 0/0 (A.A.A.A) as

ip access-group 103 in

this seems to work!


However, I would like to achieve the following which has not been working.

Behind SER 0/2 is 10.2.2.0 255.255.255.0. I would like complete access from

my B.B.B.0 network as well as the 10.1.1.0 network to 10.2.2.0. On the other hand, the 10.2.2.0 network should only be provided access to www on 1 machine on the B.B.B.0 network., I have used the following


ip access-list 102 permit tcp 10.1.1.0 0.0.0.255 host B.B.B.1_MACHINE eq www

ip access-list 102 deny ip 10.1.1.0 0.0.0.255 any


Here's the fun, I have tried the following statements

ip access-group 102 in to SER 0/2

ip access-group 102 out to SER 0/2

ip access-group 102 in to FASTETH 0/0

ip access-group 102 out to FASTETH 0/0


I get a host of bad behaviors but nothing that works as expected.

The most wierd o which is when I try to telnet from a machine on

B.B.B.any to the router at 10.2.2.100 and it fails. Yet if I telnet to the

router on B.B.B.100 and telnet to 10.2.2.100 from inside there, it works!


Any thoughts?






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Erick Bergquist Sun, 02/02/2003 - 22:07
User Badges:
  • Silver, 250 points or more

Your 102 access-list is only permitting tcp port 80 traffic from 10.1.1.0/24 to the B host. Thats it - everything else gets dropped.


I think you're looking for something along these lines applied inbound on s0/2.


access-list 102 permit tcp 10.2.2.0 0.0.0.255 host b.b.b.b eq 80

access-list 102 deny tcp 10.2.2.0 0.0.0.255 b.b.b.0 0.0.0.255 eq 80

access-list 102 permit ip any any




Erick Bergquist Mon, 02/03/2003 - 18:59
User Badges:
  • Silver, 250 points or more

You aren't denying telnet traffic. In your explanation above it saids you only want www access to 1 machine on the B.B.B.B machine. You didn't mention other traffic being blocked.


access-list 102 permit tcp 10.2.2.0 0.0.0.255 host b.b.b.b eq 80

access-list 102 deny ip 10.2.2.0 0.0.0.255 b.b.b.0 0.0.0.255

access-list 102 permit ip any any


That will only let tcp port 80 traffic through to the one host on the B network and no other traffic period.

See above::::

However, I would like to achieve the following which has not been working.

Behind SER 0/2 is 10.2.2.0 255.255.255.0. I would like complete access from

my B.B.B.0 network as well as the 10.1.1.0 network to 10.2.2.0. On the other hand, the 10.2.2.0 network should only be provided access to www on 1 machine on the B.B.B.0 network


The 10.2.2.0 network coming in on SER 0/2 should only have WWW access to one host on B.B.B.b

10.2.2.0 should not get to SER 0/0 to the outside and should not have any accesses at all to B.B.B.0 nor 10.1.1.0 BUT

B.B.B.0 and 10.1.1.0 should have all accesses to 10.2.2.0


so my

access-list 102 permit tcp 10.2.2.0 0.0.0.255 host b.b.b.b eq 80

access-list 102 deny ip 10.2.2.0 0.0.0.255 b.b.b.0 0.0.0.255

access-list 102 permit ip any any


with

SER 0/2 ---- ip access-group 102 in


should work, but why can I telnet from 10.2.2.1 to B.B.B.101




Actions

This Discussion