Access-List Confusion

jkortis · ‎02-02-2003

OK, I probably have lost my mind, but I cannot get this to work!

SERIAL 0/0 A.A.A.A 255.255.255.252

FastEthernet 0/0 Legitimate Class C B.B.B.0 255.255.255.0

FastEthernet 0/1 Class 10.1.1.0 255.255.255.0

Serial 0/2 10.101.101.105

Serial 0/0 is NAT overloaded for 10.1.1.0

B.B.B.0 remains clear IP addresses

I have an extended access list number 103 which denies the usual hacks

such as 16669 and SQL Server scans 1433, etc. I have applied this to

SER 0/0 (A.A.A.A) as

ip access-group 103 in

this seems to work!

However, I would like to achieve the following which has not been working.

Behind SER 0/2 is 10.2.2.0 255.255.255.0. I would like complete access from

my B.B.B.0 network as well as the 10.1.1.0 network to 10.2.2.0. On the other hand, the 10.2.2.0 network should only be provided access to www on 1 machine on the B.B.B.0 network., I have used the following

ip access-list 102 permit tcp 10.1.1.0 0.0.0.255 host B.B.B.1_MACHINE eq www

ip access-list 102 deny ip 10.1.1.0 0.0.0.255 any

Here's the fun, I have tried the following statements

ip access-group 102 in to SER 0/2

ip access-group 102 out to SER 0/2

ip access-group 102 in to FASTETH 0/0

ip access-group 102 out to FASTETH 0/0

I get a host of bad behaviors but nothing that works as expected.

The most wierd o which is when I try to telnet from a machine on

B.B.B.any to the router at 10.2.2.100 and it fails. Yet if I telnet to the

router on B.B.B.100 and telnet to 10.2.2.100 from inside there, it works!

Any thoughts?

Erick Bergquist · ‎02-02-2003

Your 102 access-list is only permitting tcp port 80 traffic from 10.1.1.0/24 to the B host. Thats it - everything else gets dropped.

I think you're looking for something along these lines applied inbound on s0/2.

access-list 102 permit tcp 10.2.2.0 0.0.0.255 host b.b.b.b eq 80

access-list 102 deny tcp 10.2.2.0 0.0.0.255 b.b.b.0 0.0.0.255 eq 80

access-list 102 permit ip any any

jkortis · ‎02-03-2003

I did have that last entry in one of my versions and could still

telnet from 10.2.2.100 to any machine on b.b.b.0

Erick Bergquist · ‎02-03-2003

You aren't denying telnet traffic. In your explanation above it saids you only want www access to 1 machine on the B.B.B.B machine. You didn't mention other traffic being blocked.

access-list 102 permit tcp 10.2.2.0 0.0.0.255 host b.b.b.b eq 80

access-list 102 deny ip 10.2.2.0 0.0.0.255 b.b.b.0 0.0.0.255

access-list 102 permit ip any any

That will only let tcp port 80 traffic through to the one host on the B network and no other traffic period.

jkortis · ‎02-04-2003

See above::::

However, I would like to achieve the following which has not been working.

Behind SER 0/2 is 10.2.2.0 255.255.255.0. I would like complete access from

my B.B.B.0 network as well as the 10.1.1.0 network to 10.2.2.0. On the other hand, the 10.2.2.0 network should only be provided access to www on 1 machine on the B.B.B.0 network

The 10.2.2.0 network coming in on SER 0/2 should only have WWW access to one host on B.B.B.b

10.2.2.0 should not get to SER 0/0 to the outside and should not have any accesses at all to B.B.B.0 nor 10.1.1.0 BUT

B.B.B.0 and 10.1.1.0 should have all accesses to 10.2.2.0

so my

access-list 102 permit tcp 10.2.2.0 0.0.0.255 host b.b.b.b eq 80

access-list 102 deny ip 10.2.2.0 0.0.0.255 b.b.b.0 0.0.0.255

access-list 102 permit ip any any

with

SER 0/2 ---- ip access-group 102 in

should work, but why can I telnet from 10.2.2.1 to B.B.B.101