Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access list

I need to create an access list to allow incoming traffic to use pop3, www, domain, smtp, telnet, and a few other ports, and also another list to allow access out from the internal network, but not allow anything else.

the list i have is

access-list 100 permit ip any any

access-list 101 deny ip 10.0.0.0 0.0.0.255 any

access-list 101 permit tcp any any established

access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq pop3

access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq www

access-list 101 permit icmp any 10.0.0.1 0.0.0.255

access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq 5631

access-list 101 permit udp any 10.0.0.1 0.0.0.255 eq 5632

access-list 101 permit udp any 10.0.0.1 0.0.0.255 eq domain

access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq smtp

access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq telnet

access-list 101 permit tcp any 10.0.0.1 0.0.0.255 eq 5900

the provider is connected to s0.1 point to point and the internal network is connected to e0. Should I apply list 100 to e0 and apply list 101 to s0.1???

without the list I can access my dns server but as soon as I apply the list, no access to the internet.

I have list 100 applied to e0 and list 101 applied to s0.1 right now. Anyone now a better way to write this list, and which interface I should apply the list too??

  • Other Security Subjects
6 REPLIES

Re: access list

First remove acl 100, it does nothing for you (permit any any is a waste of time). Filter something or remove it.

Apply acl 101 inbound on interface s0.1. Is 10.0.0.1 a fake IP you posted on this list or are you using NAT? Also, the mask is wrong, should be either "host 10.0.0.1" (if using nat) or "10.0.0.0 0.0.0.255".

Hope it helps.

Steve

New Member

Re: access list

Thanks steve.

The address is fake, so I kinda just wrote it. Sorry about the incorrect mask. I didn't write out the config and Im trying to fix it. But the one line that I am wondering about is the first line access-list 101 deny ip 10.0.0.0 0.0.0.255 any

would't that deny anyone from any access, since to me it basically says deny all Ip services to all from the address we use?

But besides that, does everything look alright?

Re: access list

This acl is applied inbound on the outside interface (ie interface facing your ISP). In the example 10.0.0.0 is your network, so to prevent spoofing (someone using your IP) deny it. Remember the acl is read source then destination, so that line reads "source IP of your network trying to access any network, including yours". Why would any packets with a source IP of your network try and enter your network. It's good practice to deny those sorts of things.

Put a line at the end to help you catch things you may miss - "acl 101 deny ip any any log" and do a show log to see packets that hit that last line.

Steve

New Member

Re: access list

steve sorry to bug you again, but I am trying to figure out how if you have that line acl 101 deny ip any any

wont that deny everyone??? I mean if you say all to source and destination Ip's isnt that basicall saying deny all access???

Re: access list

Yes you are right, that's why you place it at the end of the acl. It is there by default anyway (the implicit deny), the only reason to add it is for the keyword "log" at the end. It will log (syslog and show log) what packets are getting blocked, so you can see what is happening and act accordingly (ie change your acl to allow what is getting blocked as the blocking was a mistake and you want to allow that traffic or keep blocking that traffic as you don't want it allowed in).

Steve

New Member

Re: access list

thanks alot steve!!! :)

You cleared up alot!!!!!!!

157
Views
4
Helpful
6
Replies
This widget could not be displayed.