Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Need advice on extended ACL

I have placed a 2801 router at a competitor/customer site that is involved in a joint project. We have set up a server for them to use as a share drive. I am trying to place a very tight ACL to only give them access to the IP 10.20.200.11. I know it's easier to build in the SDM but I want to learn how to effectively do it manually. This is an example of what I came up with. Please don't laugh it's my first ACL.

access-list 101 permit ip any host 10.20.200.11

access-list 101 permit icmp any host 10.20.200.11

access-list 101 permit tcp any host 10.20.200.11

access-list 101 permit udp any host 10.20.200.11

2 REPLIES
Hall of Fame Super Blue

Re: Need advice on extended ACL

Donnie

The first line

access-list 101 permit ip any host 10.20.200.11

is the only one you need because the "permit ip" covers icmp/tcp & udp.

But even the first line is somewhat open. Do you know the customer subnet range and do you know what they want to access on your server.

So for example if there local network was 192.168.5.0/24 and they wanted to use http & telnet

access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 23

access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 80

There is nothing wrong with using the "permit ip", you just need to be aware of what it is allowing.

Jon

Community Member

Re: Need advice on extended ACL

Jon, they are only accessing a drive on the server. I want to lock it down so that they don't see anything else on the network accept for the drive on 10.20.200.11 . I was going to apply it in on the serial/T1 out.

Thank you very much for the help.

130
Views
5
Helpful
2
Replies
CreatePlease to create content