Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Access List Allow Traffic From a Public IP and port

Reply
Thread Tools

Access List Allow Traffic From a Public IP and port

 
 
spooke
Guest
Posts: n/a
 
      12-06-2005
Hi all
on a 1720 with ios 12.2(T10 i have some access list and with these i
deny the traffic from all the tcp ports except from the well known (80, 23,
etc).
Now I have to allow the traffic from some specific public ip on some
specific ports to a specific host of my network.

First question: Is right the access list that you find down in this
document?

Second question: I have to allow the same for these ip 80.207.109.105 -
80.207.109.110 - 80.207.109.119 - 80.207.109.121 - 80.207.109.122 -
80.207.109.123 - 80.207.109.124, is there a method for don't rewrite the
lines that the traffic for one of the public ip? (i'm thinkng at the subnet
but i do not know how)

Excuse me for my english and many thanks to all
Gian Paolo


access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 443
access-list 102 permit udp any any eq 443
access-list 102 permit udp any any eq 23
access-list 102 permit udp any any eq 21
access-list 102 permit udp any any eq domain
access-list 102 permit udp any any eq 110
access-list 102 permit udp any any eq 25
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 80
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 389
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 443
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 2560
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 7001
7002
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 8080
8084
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 8090
8091
access-list 102 deny ip any any


 
Reply With Quote
 
 
 
 
garrisb
Guest
Posts: n/a
 
      12-09-2005
Just need to understand you acl in order to say if it's right or
not....

Is this an Internet facing router? If so....
Is there a reason you're allowing ports like 23 and such from the
general internet? maybe a better way is to deny all and then allow
only what you need specifically....
If you require a terminal type access, I would use SSH...

do you really want port 389 or did you mean 3389 (remote desktop)

For 80.207.109.x, If this is from the internet, you should have a
device doing network translation for your "10.10.10.101" system...

ie...

using something like this is less burdensome but can accomplish the
same thing I THINK you're trying to achieve...( you can lock this down
even further... this says "if it's not one of the listed denys... allow
it)

!
interface <ADD INTERFACE>
ip access-group spooke in
!
ip access-list extended spooke
remark "EXAMPLE ACL"
deny ip any 0.0.0.0 0.255.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 127.0.0.0 0.255.255.255 log-input
deny ip any 169.254.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 192.0.2.0 0.0.0.255 log-input
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 224.0.0.0 7.255.255.255 log-input
deny ip any 255.0.0.0 0.255.255.255 log-input
deny ip any host 255.255.255.255 log-input
deny 55 any any log-input
deny 77 any any log-input
deny pim any any log-input
permit tcp host <ADD TELNET SPECIFIC IP FOR HOST/Pair fi you need
telnet otherwise, use ssh> eq telnet
deny tcp any any eq telnet log-input
deny tcp any any eq 135 log-input
deny udp any any eq 135 log-input
deny tcp any any eq 137 log-input
deny udp any any eq 137 log-input
deny tcp any any eq 139 log-input
deny udp any any eq 139 log-input
deny udp any any eq snmp log-input
deny udp any any eq 1993 log-input
deny udp any any eq tftp log-input
deny udp any any eq bootpc log-input
deny udp any any eq bootps log-input
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq 80
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
3389 (or 389)
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
2560
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
range 7001 7002
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
range 8080 8084
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
range 8090 8091
permit icmp any any echo-reply log-input
deny icmp any any
permit ip any any log-input
no cdp run

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM
microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework,microsoft.public.dotnet.framework.windowsforms,microsoft.public.dotnet.general,microsoft.public.dotnet.languages.vb Charles A. Lackman ASP .Net 1 12-08-2004 07:08 PM



Advertisments