Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   basic ACL help pls (http://www.velocityreviews.com/forums/t677071-basic-acl-help-pls.html)

Brian 03-24-2009 08:36 PM

basic ACL help pls
 
I need some basic IOS ACL help. We have the following config:

version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 1.2.3.4 255.255.255.248
speed 100
full-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip address 4.5.6.7 255.255.255.252
ip access-group 120 in
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface Serial1/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no cdp run
!
line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
line aux 0
login
transport input all
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
login
line vty 5 15
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
login
!
!
end



The FE interface is a public IP. The device connected to this is VPN device
that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL traffic
destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial
interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone help
me with the ACL for this?

Thanks...

bod43 03-24-2009 11:29 PM

Re: basic ACL help pls
 
On 24 Mar, 20:36, Brian <see_foo...@bottom.com> wrote:
> I need some basic IOS ACL help. *We have the following config:
>
> version 12.3
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> service udp-small-servers
> service tcp-small-servers
> !
> !
> boot-start-marker
> boot-end-marker
> !
> no logging console
> enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> !
> mmi polling-interval 60
> no mmi auto-configure
> no mmi pvc
> mmi snmp-timeout 180
> no aaa new-model
> ip subnet-zero
> ip cef
> !
> !
> !
> no ftp-server write-enable
> !
> !
> !
> !
> interface FastEthernet0/0
> *ip address 1.2.3.4 255.255.255.248
> *speed 100
> *full-duplex
> !
> interface Serial0/0
> *no ip address
> *encapsulation frame-relay IETF
> *no ip mroute-cache
> *no fair-queue
> *service-module t1 timeslots 1-24
> !
> interface Serial0/0.1 point-to-point
> *bandwidth 1536
> *ip address 4.5.6.7 255.255.255.252
> *ip access-group 120 in
> *no cdp enable
> *frame-relay interface-dlci 500 IETF
> !
> interface Serial1/0
> *no ip address
> *shutdown
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0/0.1
> no ip http server
> !
> no cdp run
> !
> line con 0
> *exec-timeout 0 0
> *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
> line aux 0
> *login
> *transport input all
> line vty 0 4
> *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
> *login
> line vty 5 15
> *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
> *login
> !
> !
> end
>
> The FE interface is a public IP. *The device connected to this is VPN device
> that also has an IP in the range, let's say 1.2.3.5. *I need to pass ALL traffic
> destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial
> interface on 4.5.6.7 to be pingable or accessible by telnet. *Can someone help
> me with the ACL for this?
>
> Thanks...


Well, sure, however doing this while clueless is not exactly
the best plan ever. It's not that hard to work out.

I suggest that you figure out what this will do
before applying it.

! Assuming:-
! Serial 0/0.1 is your Internet interface.
! That you want to block traffic from the Internet
! as you have defined.
! You want to use access-list 120 as already applied
! but not defined.


! Let's remove the access-group command to prevent the partially
! configured access list from becoming active.

int se 0/0.1
no ip access-group 120 in

! block icmp echo request packets - ping request
access-l 120 deny icmp any host 1.2.3.4 echo
access-l 120 deny icmp any host 4.5.6.7 echo

! block telnet - tcp port 23
access-l 120 deny tcp any host 1.2.3.4 eq 23
access-l 120 deny tcp any host 4.5.6.7 eq 23
access-l 120 permit ip any any

! Check that the config is as you expect
! then ...

! Now apply the ACL to the interface

int se 0/0.1
no ip access-group 120 in



Thrill5 03-25-2009 06:13 AM

Re: basic ACL help pls
 
Inbound telnet access to the router should be applied using an ACL on the
VTY ports, not on the interfaces.

access-list 1 permit 10.0.0.0 255.0.0.0

vty 0 4
access-class 1 in

This will allow inbound telnet sessions that have a "10" source address.
This is much more secure than blocking each inbound interface because it
applied globally to all inbound telnet sessions to the router.

"bod43" <Bod43@hotmail.co.uk> wrote in message
news:54bd98fd-7680-4254-814c-08d23fb88d89@z15g2000yqm.googlegroups.com...
On 24 Mar, 20:36, Brian <see_foo...@bottom.com> wrote:
> I need some basic IOS ACL help. We have the following config:
>
> version 12.3
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> service udp-small-servers
> service tcp-small-servers
> !
> end
>
> The FE interface is a public IP. The device connected to this is VPN
> device
> that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL
> traffic
> destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the
> serial
> interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone
> help
> me with the ACL for this?
>
> Thanks...


Well, sure, however doing this while clueless is not exactly
the best plan ever. It's not that hard to work out.

I suggest that you figure out what this will do
before applying it.

! Assuming:-
! Serial 0/0.1 is your Internet interface.
! That you want to block traffic from the Internet
! as you have defined.
! You want to use access-list 120 as already applied
! but not defined.


! Let's remove the access-group command to prevent the partially
! configured access list from becoming active.

int se 0/0.1
no ip access-group 120 in

! block icmp echo request packets - ping request
access-l 120 deny icmp any host 1.2.3.4 echo
access-l 120 deny icmp any host 4.5.6.7 echo

! block telnet - tcp port 23
access-l 120 deny tcp any host 1.2.3.4 eq 23
access-l 120 deny tcp any host 4.5.6.7 eq 23
access-l 120 permit ip any any

! Check that the config is as you expect
! then ...

! Now apply the ACL to the interface

int se 0/0.1
no ip access-group 120 in




bod43 03-25-2009 07:29 PM

Re: basic ACL help pls
 
On 25 Mar, 06:13, "Thrill5" <nos...@somewhere.com> wrote:
> Inbound telnet access to the router should be applied using an ACL on the
> VTY ports, not on the interfaces.


Seems a fine plan. Thanks.

Brian 03-27-2009 02:25 AM

Re: basic ACL help pls
 
"Thrill5" <nospam@somewhere.com> wrote:

|Inbound telnet access to the router should be applied using an ACL on the
|VTY ports, not on the interfaces.
|
|access-list 1 permit 10.0.0.0 255.0.0.0
|
|vty 0 4
| access-class 1 in
|
|This will allow inbound telnet sessions that have a "10" source address.
|This is much more secure than blocking each inbound interface because it
|applied globally to all inbound telnet sessions to the router.

Can you show me what the ACLs would look like for the entire setup?


All times are GMT. The time now is 01:05 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.