Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List Help

I have not done a whole lot of access-lists before.


I have Cisco 3560 switch and I need to add an access-list.  Basically I have six servers that are logged into remotely:

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

10.0.0.5

10.0.0.6

Users are able to SSH to the servers from the Corporate LAN.  However, when people get to the servers I need to make sure they get locked down.  Once logged in, I don't want them to be able to SSH, Telnet, or FTP from those boxes to another part of the network. I don't care if they monkey around on the actual subnet, but I just don't want them to be able to source SSH/FTP/Telnet from those boxes to another part of the network.

Understanding that SSH is used to reach the servers, how can I (or can I) lock this down with an access-list.


Thanks in advance for any help you can provide.


James

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Access-List Help

James

No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Access-List Help


James

access-list 101 deny tcp host 10.0.0.1 any eq 21

access-list 101 deny tcp host 10.0.0.1 any eq 22

access-list 101 deny tcp host 10.0.0.1 any eq 23

etc.. for each 10.0.0.x host

access-list 101 permit ip any any

then on the vlan interface for 10.0.0.x network -

access-group 101 in

Note that the permit ip any any at the end allows all other traffic from the 10.0.0.x network including traffic from the servers 10.0.0.1 -> 6 that isn't ftp/ssh or telnet out to the rest of the network.

Jon

New Member

Re: Access-List Help

Thanks for the quick reply.


Would this however block the ability of 10.0.0.1 to SSH/Telnet to 10.0.0.2?

James

Hall of Fame Super Blue

Re: Access-List Help

James

No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.

Jon

New Member

Re: Access-List Help

Duh, that's what the "in" means. Like I said, access-list impaired over here!

Perfect.  Again thanks for the help.


James

383
Views
0
Helpful
4
Replies
CreatePlease login to create content