|
basic ACL help pls
I need some basic IOS ACL help. We have the following config:
version 12.3 service timestamps debug uptime service timestamps log uptime service password-encryption service udp-small-servers service tcp-small-servers ! ! boot-start-marker boot-end-marker ! no logging console enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ! no ftp-server write-enable ! ! ! ! interface FastEthernet0/0 ip address 1.2.3.4 255.255.255.248 speed 100 full-duplex ! interface Serial0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache no fair-queue service-module t1 timeslots 1-24 ! interface Serial0/0.1 point-to-point bandwidth 1536 ip address 4.5.6.7 255.255.255.252 ip access-group 120 in no cdp enable frame-relay interface-dlci 500 IETF ! interface Serial1/0 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 no ip http server ! no cdp run ! line con 0 exec-timeout 0 0 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX line aux 0 login transport input all line vty 0 4 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX login line vty 5 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX login ! ! end The FE interface is a public IP. The device connected to this is VPN device that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL traffic destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone help me with the ACL for this? Thanks... |
Re: basic ACL help pls
On 24 Mar, 20:36, Brian <see_foo...@bottom.com> wrote:
> I need some basic IOS ACL help. *We have the following config: > > version 12.3 > service timestamps debug uptime > service timestamps log uptime > service password-encryption > service udp-small-servers > service tcp-small-servers > ! > ! > boot-start-marker > boot-end-marker > ! > no logging console > enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > ! > mmi polling-interval 60 > no mmi auto-configure > no mmi pvc > mmi snmp-timeout 180 > no aaa new-model > ip subnet-zero > ip cef > ! > ! > ! > no ftp-server write-enable > ! > ! > ! > ! > interface FastEthernet0/0 > *ip address 1.2.3.4 255.255.255.248 > *speed 100 > *full-duplex > ! > interface Serial0/0 > *no ip address > *encapsulation frame-relay IETF > *no ip mroute-cache > *no fair-queue > *service-module t1 timeslots 1-24 > ! > interface Serial0/0.1 point-to-point > *bandwidth 1536 > *ip address 4.5.6.7 255.255.255.252 > *ip access-group 120 in > *no cdp enable > *frame-relay interface-dlci 500 IETF > ! > interface Serial1/0 > *no ip address > *shutdown > ! > ip classless > ip route 0.0.0.0 0.0.0.0 Serial0/0.1 > no ip http server > ! > no cdp run > ! > line con 0 > *exec-timeout 0 0 > *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX > line aux 0 > *login > *transport input all > line vty 0 4 > *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX > *login > line vty 5 15 > *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX > *login > ! > ! > end > > The FE interface is a public IP. *The device connected to this is VPN device > that also has an IP in the range, let's say 1.2.3.5. *I need to pass ALL traffic > destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial > interface on 4.5.6.7 to be pingable or accessible by telnet. *Can someone help > me with the ACL for this? > > Thanks... Well, sure, however doing this while clueless is not exactly the best plan ever. It's not that hard to work out. I suggest that you figure out what this will do before applying it. ! Assuming:- ! Serial 0/0.1 is your Internet interface. ! That you want to block traffic from the Internet ! as you have defined. ! You want to use access-list 120 as already applied ! but not defined. ! Let's remove the access-group command to prevent the partially ! configured access list from becoming active. int se 0/0.1 no ip access-group 120 in ! block icmp echo request packets - ping request access-l 120 deny icmp any host 1.2.3.4 echo access-l 120 deny icmp any host 4.5.6.7 echo ! block telnet - tcp port 23 access-l 120 deny tcp any host 1.2.3.4 eq 23 access-l 120 deny tcp any host 4.5.6.7 eq 23 access-l 120 permit ip any any ! Check that the config is as you expect ! then ... ! Now apply the ACL to the interface int se 0/0.1 no ip access-group 120 in |
Re: basic ACL help pls
Inbound telnet access to the router should be applied using an ACL on the
VTY ports, not on the interfaces. access-list 1 permit 10.0.0.0 255.0.0.0 vty 0 4 access-class 1 in This will allow inbound telnet sessions that have a "10" source address. This is much more secure than blocking each inbound interface because it applied globally to all inbound telnet sessions to the router. "bod43" <Bod43@hotmail.co.uk> wrote in message news:54bd98fd-7680-4254-814c-08d23fb88d89@z15g2000yqm.googlegroups.com... On 24 Mar, 20:36, Brian <see_foo...@bottom.com> wrote: > I need some basic IOS ACL help. We have the following config: > > version 12.3 > service timestamps debug uptime > service timestamps log uptime > service password-encryption > service udp-small-servers > service tcp-small-servers > ! > end > > The FE interface is a public IP. The device connected to this is VPN > device > that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL > traffic > destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the > serial > interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone > help > me with the ACL for this? > > Thanks... Well, sure, however doing this while clueless is not exactly the best plan ever. It's not that hard to work out. I suggest that you figure out what this will do before applying it. ! Assuming:- ! Serial 0/0.1 is your Internet interface. ! That you want to block traffic from the Internet ! as you have defined. ! You want to use access-list 120 as already applied ! but not defined. ! Let's remove the access-group command to prevent the partially ! configured access list from becoming active. int se 0/0.1 no ip access-group 120 in ! block icmp echo request packets - ping request access-l 120 deny icmp any host 1.2.3.4 echo access-l 120 deny icmp any host 4.5.6.7 echo ! block telnet - tcp port 23 access-l 120 deny tcp any host 1.2.3.4 eq 23 access-l 120 deny tcp any host 4.5.6.7 eq 23 access-l 120 permit ip any any ! Check that the config is as you expect ! then ... ! Now apply the ACL to the interface int se 0/0.1 no ip access-group 120 in |
Re: basic ACL help pls
On 25 Mar, 06:13, "Thrill5" <nos...@somewhere.com> wrote:
> Inbound telnet access to the router should be applied using an ACL on the > VTY ports, not on the interfaces. Seems a fine plan. Thanks. |
Re: basic ACL help pls
"Thrill5" <nospam@somewhere.com> wrote:
|Inbound telnet access to the router should be applied using an ACL on the |VTY ports, not on the interfaces. | |access-list 1 permit 10.0.0.0 255.0.0.0 | |vty 0 4 | access-class 1 in | |This will allow inbound telnet sessions that have a "10" source address. |This is much more secure than blocking each inbound interface because it |applied globally to all inbound telnet sessions to the router. Can you show me what the ACLs would look like for the entire setup? |
| All times are GMT. The time now is 08:03 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.