Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Catalyst ACL Question (http://www.velocityreviews.com/forums/t35541-catalyst-acl-question.html)

newb 09-24-2004 07:28 PM
Catalyst ACL Question
 
I am trying to setup a Catalyst 3550 and previously have only limited experience with a PIX. What I have done is set up 2 VLANs 1 for our internal network stuff and 1 for our internet facing stuff. On the internet facing stuff I want to limit access to our external web server and only allow a select list of ports in but allow everything outgoing. I thought I could do this using an extended ACL such as this

ip access-list extended Webserver
permit tcp any eq www any
permit tcp any eq 443 any
permit tcp any eq ftp-data any
permit tcp any eq ftp any
permit tcp any eq 3389 any
permit tcp any eq domain any
deny ip any any

However when I apply this the computer doesn’t seem to be able to see anything on the outside, the inbound filtering does seem to work though.

If anyone has any recommendations I would really appreciate it.

Colin Fischer

Scooby 09-24-2004 09:31 PM
Re: Catalyst ACL Question
 
"newb" <newb@newb.com> wrote in message
news:Yz_4d.492815$M95.251050@pd7tw1no...
> I am trying to setup a Catalyst 3550 and previously have only limited
experience with a PIX. What I have done is set up 2 VLANs 1 for our internal
network stuff and 1 for our internet facing stuff. On the internet facing
stuff I want to limit access to our external web server and only allow a
select list of ports in but allow everything outgoing. I thought I could do
this using an extended ACL such as this
>
> ip access-list extended Webserver
> permit tcp any eq www any
> permit tcp any eq 443 any
> permit tcp any eq ftp-data any
> permit tcp any eq ftp any
> permit tcp any eq 3389 any
> permit tcp any eq domain any
> deny ip any any
>
> However when I apply this the computer doesn't seem to be able to see
anything on the outside, the inbound filtering does seem to work though.
>
> If anyone has any recommendations I would really appreciate it.
>
> Colin Fischer

Colin,

You are using source ports instead of destination ports. Your acl should be
like this:

ip access-list extended Webserver
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any any eq 3389
permit tcp any anyeq domain
deny ip any any

Source ports are random.

Hope that helps,

Jim


All times are GMT. The time now is 03:20 PM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57