Re: Access List: Help!!!

londint · ‎01-29-2003

I need help once again.

This is the situation. We have a fixed list of external clients ( a.a.a.a,b.b.b.b,c.c.c.c) and we want them to access fixed servers ( 196.1.1.1 (10),196.2.2.2 (20), 197.1.1.1. (30) ) in the office. All these servers have a real world ip address which has been given to these external clients.

What I want to do is limit these users to these servers.

On the Serial line, i already have

access-list 100 permit tcp any host 196.1.1.1 eq 10

access-list 100 permit tcp any host 196.2.2.2 eq 20

access-list 100 permit tcp any host 197.1.1.1 eq 30

int s0/0

ip access-group 100 in

Now on the Ethernet Interface.

I want to tighten the security further by saying that the clients a.a.a.a, b.b.b.b,c.c.c.c can only get to 196.1.1.1 (10),196.2.2.2 (20), 197.1.1.1. (30).

So do I write it like this a

access-list 108 permit host 196.1.1.1 host a.a.a.a

access-list 108 permit host 196.1.1.1 host b.b.b.b

access-list 108 permit host 196.1.1.1 host c.c.c.c

access-list 108 permit host 196.2.2.2 host a.a.a.a

access-list 108 permit host 196.2.2.2 host b.b.b.b

access-list 108 permit host 196.2.2.2. host c.c.c.c

OR

access-list 108 permit host a.a.a.a host 196.1.1.1

access-list 108 permit host b.b.b.b host 196.1.1.1

access-list 108 permit host c.c.c.c host 196.1.1.1

access-list 108 permit host a.a.a.a host 196.2.2.2

access-list 108 permit host b.b.b.b host 196.2.2.2

access-list 108 permit host c.c.c.c host 196.2.2.2.

And then on the Ethernet Interface put

Int e0/0

ip access-group 108 in

Please I need your urgent help. the direction thing ....

Thanks

j.stringer · ‎01-29-2003

ACL's are source/destination.

So if you want to limit incomming ip address (a.a.a.a, b.b.b.b,c.c.c.c) to only have access to 196.1.1.1 (or the other servers) then scenerio 2 in your example is what you want.

wolfrikk · ‎01-29-2003

You would want to use

access-list 108 permit host a.a.a.a host 196.1.1.1

access-list 108 permit host b.b.b.b host 196.1.1.1

access-list 108 permit host c.c.c.c host 196.1.1.1

access-list 108 permit host a.a.a.a host 196.2.2.2

access-list 108 permit host b.b.b.b host 196.2.2.2

access-list 108 permit host c.c.c.c host 196.2.2.2.

The only thing to watch is the implicit deny at the end of all access list. This access list will allow those clients to connect to the servers, but all other traffic will be dropped.

paulo.s · ‎01-29-2003

First, if you aply access-list 100 only for external clients(aaa......) just only these clients can access your network, because you are not given permission to other clients, access-list 100 permit ip any any not included in the end of your access-list.

About the other access-list to interface ethernet, you don't need, because you are blocking in the interface serial.

a.manosca · ‎01-29-2003

The ACL for the serial interface looks good,

but as wolfrikk said, do not forget the implicit deny.

Since you want to tighten the security further by

adding another ACL on the Ethernet interface,

(which is not really recommended if you do not

have enough router CPU resources), like what j.stringer

said, scenario 2 is what you want. BUT, you should

apply the ACL "outbound" the Ethernet0/0 since the

destination is "outside" E0/0.

Hope this helps a bit.

londint · ‎01-31-2003

Thanks. So can I configure list 2 and apply it on to the serial interface as

access-list 108 permit tcp host a.a.a.a host 196.1.1.1 eq 10

access-list 108 permit tcp host b.b.b.b host 196.1.1.1 eq 10

access-list 108 permit tcp host c.c.c.c host 196.1.1.1 eq 10

access-list 108 permit tcp host a.a.a.a host 196.2.2.2 eq 20

access-list 108 permit tcp host b.b.b.b host 196.2.2.2 eq 20

access-list 108 permit tcp host c.c.c.c host 196.2.2.2. eq 20

access-list 108 permit tcp host a.a.a.a host 197.1.1. 1 eq 30

access-list 108 permit tcp host b.b.b.b host 197.1.1. 1 eq 30

access-list 108 permit tcp host c.c.c.c host 197.1.1. 1. eq 30

int s0/0

access-group 108 in

so that it will not use up the cpu of the router too much. Then the implicit deny will deny all other users.

The access list 100 i wrote before means that all users will get past the serial interface, go through the router and then get stopped only as they pass through the ethernet interface. Is this correct?

Thank you all so much for your help.