Need advice on extended ACL

HoustonG33K · ‎06-16-2008

I have placed a 2801 router at a competitor/customer site that is involved in a joint project. We have set up a server for them to use as a share drive. I am trying to place a very tight ACL to only give them access to the IP 10.20.200.11. I know it's easier to build in the SDM but I want to learn how to effectively do it manually. This is an example of what I came up with. Please don't laugh it's my first ACL.

access-list 101 permit ip any host 10.20.200.11

access-list 101 permit icmp any host 10.20.200.11

access-list 101 permit tcp any host 10.20.200.11

access-list 101 permit udp any host 10.20.200.11

Jon Marshall · ‎06-16-2008

Donnie

The first line

access-list 101 permit ip any host 10.20.200.11

is the only one you need because the "permit ip" covers icmp/tcp & udp.

But even the first line is somewhat open. Do you know the customer subnet range and do you know what they want to access on your server.

So for example if there local network was 192.168.5.0/24 and they wanted to use http & telnet

access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 23

access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 80

There is nothing wrong with using the "permit ip", you just need to be aware of what it is allowing.

Jon

HoustonG33K · ‎06-16-2008

Jon, they are only accessing a drive on the server. I want to lock it down so that they don't see anything else on the network accept for the drive on 10.20.200.11 . I was going to apply it in on the serial/T1 out.

Thank you very much for the help.