Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
5
Helpful
7
Replies

Extended ACL Issue

Go to solution
jrosetta1
Level 1
Level 1

‎05-05-2009 09:05 PM - edited ‎02-20-2020 09:41 PM

I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.

I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.

ip-access-list extended ACL_TCP

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established

permit tcp any any established

Is there a better way to do this? Does this extended ACL work for my purpose?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to jrosetta1

‎05-06-2009 12:10 PM

Say R2's address is 192.168.1.2, and you want to only allow that address. You would create the acl on R1 and R3, and they would look like:

R1: 192.168.1.1

R3: 192.168.1.3

access-list 23 permit host 192.168.1.2

you can apply this to your line on R1 and R3:

line vty 0 4

access-class 23 in

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to jrosetta1

‎05-06-2009 01:22 PM

If fa0/0 is your internet-facing side, then yes it would. Your fa0/1 would be lan-facing. Wherever you put the public ip address that the provider gives you is where you'd put the acl, and it would go in the inbound direction.

access-class can use either standard or extended acls.

ip access-list ext TELNET

permit ip host 192.168.1.2 any eq 23

line vty 0 4

access-class TELNET in

That should work =)

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
7 Replies 7

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎05-06-2009 11:46 AM

What direction did you apply this? I'm assuming in the inbound direction?

Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.

Try the following:

ip access-list ext ACL_TCP

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp

deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet

Apply to your loopback:

ip access-group ACL_TCP in

Next question:

Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?

HTH,

John

HTH, John *** Please rate all useful posts ***

Go to solution
jrosetta1
Level 1
Level 1
In response to John Blakley

‎05-06-2009 12:03 PM

Thank you for the help! I figured it would be easier just to do the three statements than what I was trying to do.

Its applied to the inbound interface correct. I figured that was the correct way to stop those three to getting to PC1.

In this excersise, there is an internet cloud not connected to any physical interface but just the loop back. The two physical interfaces are connected to R1 and R3.

Another question I have is still pertaining to ACL's. It says Allow telnet to R1 and R3 from R2 only. I am kinda confused on this one.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to jrosetta1

‎05-06-2009 12:10 PM

Say R2's address is 192.168.1.2, and you want to only allow that address. You would create the acl on R1 and R3, and they would look like:

R1: 192.168.1.1

R3: 192.168.1.3

access-list 23 permit host 192.168.1.2

you can apply this to your line on R1 and R3:

line vty 0 4

access-class 23 in

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
jrosetta1
Level 1
Level 1
In response to John Blakley

‎05-06-2009 12:53 PM

Ok that makes sense, I was confused because how it was worded. The telnet would be a standard ACL?

The previous question I had about the extended ACL, apparently that loopback will be on a f0/0. So I would apply that extended ACL on that interface on the inbound correct?

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to jrosetta1

‎05-06-2009 01:22 PM

If fa0/0 is your internet-facing side, then yes it would. Your fa0/1 would be lan-facing. Wherever you put the public ip address that the provider gives you is where you'd put the acl, and it would go in the inbound direction.

access-class can use either standard or extended acls.

ip access-list ext TELNET

permit ip host 192.168.1.2 any eq 23

line vty 0 4

access-class TELNET in

That should work =)

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
jrosetta1
Level 1
Level 1
In response to John Blakley

‎05-06-2009 01:36 PM

Thank you very much for your input! If I have any more issues with ACL's I will post more in this thread.

You helped me clear up a-lot of stuff.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to jrosetta1

‎05-06-2009 01:41 PM

Always glad to hear it helped :)

I realized I made a typo:

I put ip on the acl, but it should be tcp if you're going to use the port on the end of the acl. Otherwise, it would just be:

permit ip host 192.168.1.1 any

:)

Thanks for the ratings!!

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents