01-29-2003 05:35 AM - edited 03-02-2019 04:38 AM
I need help once again.
This is the situation. We have a fixed list of external clients ( a.a.a.a,b.b.b.b,c.c.c.c) and we want them to access fixed servers ( 196.1.1.1 (10),196.2.2.2 (20), 197.1.1.1. (30) ) in the office. All these servers have a real world ip address which has been given to these external clients.
What I want to do is limit these users to these servers.
On the Serial line, i already have
access-list 100 permit tcp any host 196.1.1.1 eq 10
access-list 100 permit tcp any host 196.2.2.2 eq 20
access-list 100 permit tcp any host 197.1.1.1 eq 30
int s0/0
ip access-group 100 in
Now on the Ethernet Interface.
I want to tighten the security further by saying that the clients a.a.a.a, b.b.b.b,c.c.c.c can only get to 196.1.1.1 (10),196.2.2.2 (20), 197.1.1.1. (30).
So do I write it like this a
access-list 108 permit host 196.1.1.1 host a.a.a.a
access-list 108 permit host 196.1.1.1 host b.b.b.b
access-list 108 permit host 196.1.1.1 host c.c.c.c
access-list 108 permit host 196.2.2.2 host a.a.a.a
access-list 108 permit host 196.2.2.2 host b.b.b.b
access-list 108 permit host 196.2.2.2. host c.c.c.c
OR
access-list 108 permit host a.a.a.a host 196.1.1.1
access-list 108 permit host b.b.b.b host 196.1.1.1
access-list 108 permit host c.c.c.c host 196.1.1.1
access-list 108 permit host a.a.a.a host 196.2.2.2
access-list 108 permit host b.b.b.b host 196.2.2.2
access-list 108 permit host c.c.c.c host 196.2.2.2.
And then on the Ethernet Interface put
Int e0/0
ip access-group 108 in
Please I need your urgent help. the direction thing ....
Thanks
01-29-2003 05:59 AM
ACL's are source/destination.
So if you want to limit incomming ip address (a.a.a.a, b.b.b.b,c.c.c.c) to only have access to 196.1.1.1 (or the other servers) then scenerio 2 in your example is what you want.
01-29-2003 06:00 AM
You would want to use
access-list 108 permit host a.a.a.a host 196.1.1.1
access-list 108 permit host b.b.b.b host 196.1.1.1
access-list 108 permit host c.c.c.c host 196.1.1.1
access-list 108 permit host a.a.a.a host 196.2.2.2
access-list 108 permit host b.b.b.b host 196.2.2.2
access-list 108 permit host c.c.c.c host 196.2.2.2.
The only thing to watch is the implicit deny at the end of all access list. This access list will allow those clients to connect to the servers, but all other traffic will be dropped.
01-29-2003 06:17 AM
First, if you aply access-list 100 only for external clients(aaa......) just only these clients can access your network, because you are not given permission to other clients, access-list 100 permit ip any any not included in the end of your access-list.
About the other access-list to interface ethernet, you don't need, because you are blocking in the interface serial.
01-29-2003 04:30 PM
The ACL for the serial interface looks good,
but as wolfrikk said, do not forget the implicit deny.
Since you want to tighten the security further by
adding another ACL on the Ethernet interface,
(which is not really recommended if you do not
have enough router CPU resources), like what j.stringer
said, scenario 2 is what you want. BUT, you should
apply the ACL "outbound" the Ethernet0/0 since the
destination is "outside" E0/0.
Hope this helps a bit.
01-31-2003 02:46 AM
Thanks. So can I configure list 2 and apply it on to the serial interface as
access-list 108 permit tcp host a.a.a.a host 196.1.1.1 eq 10
access-list 108 permit tcp host b.b.b.b host 196.1.1.1 eq 10
access-list 108 permit tcp host c.c.c.c host 196.1.1.1 eq 10
access-list 108 permit tcp host a.a.a.a host 196.2.2.2 eq 20
access-list 108 permit tcp host b.b.b.b host 196.2.2.2 eq 20
access-list 108 permit tcp host c.c.c.c host 196.2.2.2. eq 20
access-list 108 permit tcp host a.a.a.a host 197.1.1. 1 eq 30
access-list 108 permit tcp host b.b.b.b host 197.1.1. 1 eq 30
access-list 108 permit tcp host c.c.c.c host 197.1.1. 1. eq 30
int s0/0
access-group 108 in
so that it will not use up the cpu of the router too much. Then the implicit deny will deny all other users.
The access list 100 i wrote before means that all users will get past the serial interface, go through the router and then get stopped only as they pass through the ethernet interface. Is this correct?
Thank you all so much for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide