I need to create an access list to allow incoming traffic to use pop3, www, domain, smtp, telnet, and a few other ports, and also another list to allow access out from the internal network, but not allow anything else.
the list i have is
access-list 100 permit ip any any
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq pop3
access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq www
access-list 101 permit icmp any 10.0.0.1 0.0.0.255
access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq 5631
access-list 101 permit udp any 10.0.0.1 0.0.0.255 eq 5632
access-list 101 permit udp any 10.0.0.1 0.0.0.255 eq domain
access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq smtp
access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq telnet
access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq 5900
the provider is connected to s0.1 point to point and the internal network is connected to e0. Should I apply list 100 to e0 and apply list 101 to s0.1???
without the list I can access my dns server but as soon as I apply the list, no access to the internet.
I have list 100 applied to e0 and list 101 applied to s0.1 right now. Anyone now a better way to write this list, and which interface I should apply the list too??
First remove acl 100, it does nothing for you (permit any any is a waste of time). Filter something or remove it.
Apply acl 101 inbound on interface s0.1. Is 10.0.0.1 a fake IP you posted on this list or are you using NAT? Also, the mask is wrong, should be either "host 10.0.0.1" (if using nat) or "10.0.0.0 0.0.0.255".
The address is fake, so I kinda just wrote it. Sorry about the incorrect mask. I didn't write out the config and Im trying to fix it. But the one line that I am wondering about is the first line access-list 101 deny ip 10.0.0.0 0.0.0.255 any
would't that deny anyone from any access, since to me it basically says deny all Ip services to all from the address we use?
This acl is applied inbound on the outside interface (ie interface facing your ISP). In the example 10.0.0.0 is your network, so to prevent spoofing (someone using your IP) deny it. Remember the acl is read source then destination, so that line reads "source IP of your network trying to access any network, including yours". Why would any packets with a source IP of your network try and enter your network. It's good practice to deny those sorts of things.
Put a line at the end to help you catch things you may miss - "acl 101 deny ip any any log" and do a show log to see packets that hit that last line.
Yes you are right, that's why you place it at the end of the acl. It is there by default anyway (the implicit deny), the only reason to add it is for the keyword "log" at the end. It will log (syslog and show log) what packets are getting blocked, so you can see what is happening and act accordingly (ie change your acl to allow what is getting blocked as the blocking was a mistake and you want to allow that traffic or keep blocking that traffic as you don't want it allowed in).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...