Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > basic ACL help pls

Reply
Thread Tools

basic ACL help pls

 
 
Brian
Guest
Posts: n/a
 
      03-24-2009
I need some basic IOS ACL help. We have the following config:

version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service udp-small-servers
service tcp-small-servers
!
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 1.2.3.4 255.255.255.248
speed 100
full-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
!
interface Serial0/0.1 point-to-point
bandwidth 1536
ip address 4.5.6.7 255.255.255.252
ip access-group 120 in
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface Serial1/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no cdp run
!
line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
line aux 0
login
transport input all
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
login
line vty 5 15
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
login
!
!
end



The FE interface is a public IP. The device connected to this is VPN device
that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL traffic
destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial
interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone help
me with the ACL for this?

Thanks...
 
Reply With Quote
 
 
 
 
bod43
Guest
Posts: n/a
 
      03-24-2009
On 24 Mar, 20:36, Brian <(E-Mail Removed)> wrote:
> I need some basic IOS ACL help. *We have the following config:
>
> version 12.3
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> service udp-small-servers
> service tcp-small-servers
> !
> !
> boot-start-marker
> boot-end-marker
> !
> no logging console
> enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> !
> mmi polling-interval 60
> no mmi auto-configure
> no mmi pvc
> mmi snmp-timeout 180
> no aaa new-model
> ip subnet-zero
> ip cef
> !
> !
> !
> no ftp-server write-enable
> !
> !
> !
> !
> interface FastEthernet0/0
> *ip address 1.2.3.4 255.255.255.248
> *speed 100
> *full-duplex
> !
> interface Serial0/0
> *no ip address
> *encapsulation frame-relay IETF
> *no ip mroute-cache
> *no fair-queue
> *service-module t1 timeslots 1-24
> !
> interface Serial0/0.1 point-to-point
> *bandwidth 1536
> *ip address 4.5.6.7 255.255.255.252
> *ip access-group 120 in
> *no cdp enable
> *frame-relay interface-dlci 500 IETF
> !
> interface Serial1/0
> *no ip address
> *shutdown
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0/0.1
> no ip http server
> !
> no cdp run
> !
> line con 0
> *exec-timeout 0 0
> *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
> line aux 0
> *login
> *transport input all
> line vty 0 4
> *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
> *login
> line vty 5 15
> *password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
> *login
> !
> !
> end
>
> The FE interface is a public IP. *The device connected to this is VPN device
> that also has an IP in the range, let's say 1.2.3.5. *I need to pass ALL traffic
> destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial
> interface on 4.5.6.7 to be pingable or accessible by telnet. *Can someone help
> me with the ACL for this?
>
> Thanks...


Well, sure, however doing this while clueless is not exactly
the best plan ever. It's not that hard to work out.

I suggest that you figure out what this will do
before applying it.

! Assuming:-
! Serial 0/0.1 is your Internet interface.
! That you want to block traffic from the Internet
! as you have defined.
! You want to use access-list 120 as already applied
! but not defined.


! Let's remove the access-group command to prevent the partially
! configured access list from becoming active.

int se 0/0.1
no ip access-group 120 in

! block icmp echo request packets - ping request
access-l 120 deny icmp any host 1.2.3.4 echo
access-l 120 deny icmp any host 4.5.6.7 echo

! block telnet - tcp port 23
access-l 120 deny tcp any host 1.2.3.4 eq 23
access-l 120 deny tcp any host 4.5.6.7 eq 23
access-l 120 permit ip any any

! Check that the config is as you expect
! then ...

! Now apply the ACL to the interface

int se 0/0.1
no ip access-group 120 in


 
Reply With Quote
 
 
 
 
Thrill5
Guest
Posts: n/a
 
      03-25-2009
Inbound telnet access to the router should be applied using an ACL on the
VTY ports, not on the interfaces.

access-list 1 permit 10.0.0.0 255.0.0.0

vty 0 4
access-class 1 in

This will allow inbound telnet sessions that have a "10" source address.
This is much more secure than blocking each inbound interface because it
applied globally to all inbound telnet sessions to the router.

"bod43" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
On 24 Mar, 20:36, Brian <(E-Mail Removed)> wrote:
> I need some basic IOS ACL help. We have the following config:
>
> version 12.3
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> service udp-small-servers
> service tcp-small-servers
> !
> end
>
> The FE interface is a public IP. The device connected to this is VPN
> device
> that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL
> traffic
> destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the
> serial
> interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone
> help
> me with the ACL for this?
>
> Thanks...


Well, sure, however doing this while clueless is not exactly
the best plan ever. It's not that hard to work out.

I suggest that you figure out what this will do
before applying it.

! Assuming:-
! Serial 0/0.1 is your Internet interface.
! That you want to block traffic from the Internet
! as you have defined.
! You want to use access-list 120 as already applied
! but not defined.


! Let's remove the access-group command to prevent the partially
! configured access list from becoming active.

int se 0/0.1
no ip access-group 120 in

! block icmp echo request packets - ping request
access-l 120 deny icmp any host 1.2.3.4 echo
access-l 120 deny icmp any host 4.5.6.7 echo

! block telnet - tcp port 23
access-l 120 deny tcp any host 1.2.3.4 eq 23
access-l 120 deny tcp any host 4.5.6.7 eq 23
access-l 120 permit ip any any

! Check that the config is as you expect
! then ...

! Now apply the ACL to the interface

int se 0/0.1
no ip access-group 120 in



 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      03-25-2009
On 25 Mar, 06:13, "Thrill5" <(E-Mail Removed)> wrote:
> Inbound telnet access to the router should be applied using an ACL on the
> VTY ports, not on the interfaces.


Seems a fine plan. Thanks.
 
Reply With Quote
 
Brian
Guest
Posts: n/a
 
      03-27-2009
"Thrill5" <(E-Mail Removed)> wrote:

|Inbound telnet access to the router should be applied using an ACL on the
|VTY ports, not on the interfaces.
|
|access-list 1 permit 10.0.0.0 255.0.0.0
|
|vty 0 4
| access-class 1 in
|
|This will allow inbound telnet sessions that have a "10" source address.
|This is much more secure than blocking each inbound interface because it
|applied globally to all inbound telnet sessions to the router.

Can you show me what the ACLs would look like for the entire setup?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
URGENT - Pls help...pls recommend - laptop purchase irfansmith@gmail.com Computer Information 2 08-15-2008 11:34 PM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
DOH! I need some ACL basic help! David Hodgson Cisco 3 08-18-2004 03:28 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM
pls, help.. i need a number..pls olabanji timothy MCSE 7 09-10-2003 04:02 PM



Advertisments