Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACLs on a router

Hi guys,

I need to restrict inbound connections to port 5001 and 5000 which are natted to 3389 on two different internal servers for access by only a handful of IPs. Problem is there is no firewall, just a 1760 router. How should I configure the access list so as to not disturb any of the other routed services? It seems as though access lists on this router are configured for the whole device, not per interface...

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACLs on a router

Hi Geordie,

It would be nice if you have provided the Router config.

However here is the outline on what can be done to achieve this.

In Global config Create an extended access list,

Access-list 101 permit tcp host host range 5000 5001

access-list 101 permit tcp host host range 5000 5001

access-list 101 deny tcp any host range 5000 5001

access-list 101 deny tcp any host range 5000 5001

access-lists 101 permit any any

Under your incoming interface, apply this access-list as follows.

ip access-group 101 in

Now, the access list 101 will allow access to your NATipServer1,NatIpServer2 on port 5000 & 5001 only from the host

that you have mentioned ( ValidIpAddress1).

It will deny access to the natipserver1 & natipserver2 on port 5000 & 5001 from any one else.

Finally you have to place to permit any any statement at the end of the access list to allow other traffic hitting your router via the incoming interface.

Hope this helps..

-VJ

7 REPLIES
Silver

Re: ACLs on a router

No, you have to define the ACL first by different no. or group. Then apply those ACL w/ no, or group name to the interface that you want to enable the ACL.

Check below for the info. :

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080430e5b.html

Hope this helps.

Re: ACLs on a router

Hi Geordie,

It would be nice if you have provided the Router config.

However here is the outline on what can be done to achieve this.

In Global config Create an extended access list,

Access-list 101 permit tcp host host range 5000 5001

access-list 101 permit tcp host host range 5000 5001

access-list 101 deny tcp any host range 5000 5001

access-list 101 deny tcp any host range 5000 5001

access-lists 101 permit any any

Under your incoming interface, apply this access-list as follows.

ip access-group 101 in

Now, the access list 101 will allow access to your NATipServer1,NatIpServer2 on port 5000 & 5001 only from the host

that you have mentioned ( ValidIpAddress1).

It will deny access to the natipserver1 & natipserver2 on port 5000 & 5001 from any one else.

Finally you have to place to permit any any statement at the end of the access list to allow other traffic hitting your router via the incoming interface.

Hope this helps..

-VJ

Re: ACLs on a router

Hi Geordie,

there is a typo in the access-list 101.. the last line in the access-list 101 should be "access-list 101 permit ip any any".. Sorry about that..

-VJ

Hall of Fame Super Silver

Re: ACLs on a router

I am not sure why Geordie believes that access lists are configured for the router as a whole and not done per interface. As several responses have pointed out access lists for routers (including the 1700 series) are applied per interface with the access-group command. Perhaps Geordie can clarify what made him think that they did not work per interface on his router.

HTH

Rick

New Member

Re: ACLs on a router

Sorry Rick I was confused. I am still finding my feet on access lists and because the list is created at global config (but applied to the interface using access-group as you state) I got my wires crossed.

New Member

Re: ACLs on a router

Hi VJ,

Thanks so much man, this is exactly what I needed. one last question, NAT maps 5000 and 5001 to 3389 on two different internal servers, should the syntax reflect the local port numbers of those server (i.e. 3389) or the nat'd ports on the WAN interface (5000 and 5001)?

Re: ACLs on a router

Hi Geordie,

The syntax should reflect the Nated Port Numbers. Only after the Access list is processed, NAT will take effect.

You can have a look at this URL, which explains the order of operation, when NAT and Access lists are applied on a interface.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

-VJ

274
Views
0
Helpful
7
Replies
CreatePlease login to create content