Access List Allow Traffic From a Public IP and port

Discussion in 'Cisco' started by spooke, Dec 6, 2005.

  1. spooke

    spooke Guest

    Hi all
    on a 1720 with ios 12.2(8)T10 i have some access list and with these i
    deny the traffic from all the tcp ports except from the well known (80, 23,
    etc).
    Now I have to allow the traffic from some specific public ip on some
    specific ports to a specific host of my network.

    First question: Is right the access list that you find down in this
    document?

    Second question: I have to allow the same for these ip 80.207.109.105 -
    80.207.109.110 - 80.207.109.119 - 80.207.109.121 - 80.207.109.122 -
    80.207.109.123 - 80.207.109.124, is there a method for don't rewrite the
    lines that the traffic for one of the public ip? (i'm thinkng at the subnet
    but i do not know how)

    Excuse me for my english and many thanks to all
    Gian Paolo


    access-list 102 permit tcp any any eq www
    access-list 102 permit tcp any any eq telnet
    access-list 102 permit tcp any any eq ftp
    access-list 102 permit tcp any any eq pop3
    access-list 102 permit tcp any any eq smtp
    access-list 102 permit tcp any any eq 443
    access-list 102 permit udp any any eq 443
    access-list 102 permit udp any any eq 23
    access-list 102 permit udp any any eq 21
    access-list 102 permit udp any any eq domain
    access-list 102 permit udp any any eq 110
    access-list 102 permit udp any any eq 25
    access-list 102 permit tcp any any eq domain
    access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 80
    access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 389
    access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 443
    access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 2560
    access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 7001
    7002
    access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 8080
    8084
    access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 8090
    8091
    access-list 102 deny ip any any
     
    spooke, Dec 6, 2005
    #1
    1. Advertising

  2. spooke

    garrisb Guest

    Just need to understand you acl in order to say if it's right or
    not....

    Is this an Internet facing router? If so....
    Is there a reason you're allowing ports like 23 and such from the
    general internet? maybe a better way is to deny all and then allow
    only what you need specifically....
    If you require a terminal type access, I would use SSH...

    do you really want port 389 or did you mean 3389 (remote desktop)

    For 80.207.109.x, If this is from the internet, you should have a
    device doing network translation for your "10.10.10.101" system...

    ie...

    using something like this is less burdensome but can accomplish the
    same thing I THINK you're trying to achieve...( you can lock this down
    even further... this says "if it's not one of the listed denys... allow
    it)

    !
    interface <ADD INTERFACE>
    ip access-group spooke in
    !
    ip access-list extended spooke
    remark "EXAMPLE ACL"
    deny ip any 0.0.0.0 0.255.255.255 log-input
    deny ip any 10.0.0.0 0.255.255.255 log-input
    deny ip any 127.0.0.0 0.255.255.255 log-input
    deny ip any 169.254.0.0 0.0.255.255 log-input
    deny ip any 172.16.0.0 0.15.255.255 log-input
    deny ip any 192.0.2.0 0.0.0.255 log-input
    deny ip any 192.168.0.0 0.0.255.255 log-input
    deny ip any 224.0.0.0 7.255.255.255 log-input
    deny ip any 255.0.0.0 0.255.255.255 log-input
    deny ip any host 255.255.255.255 log-input
    deny 55 any any log-input
    deny 77 any any log-input
    deny pim any any log-input
    permit tcp host <ADD TELNET SPECIFIC IP FOR HOST/Pair fi you need
    telnet otherwise, use ssh> eq telnet
    deny tcp any any eq telnet log-input
    deny tcp any any eq 135 log-input
    deny udp any any eq 135 log-input
    deny tcp any any eq 137 log-input
    deny udp any any eq 137 log-input
    deny tcp any any eq 139 log-input
    deny udp any any eq 139 log-input
    deny udp any any eq snmp log-input
    deny udp any any eq 1993 log-input
    deny udp any any eq tftp log-input
    deny udp any any eq bootpc log-input
    deny udp any any eq bootps log-input
    permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq 80
    permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
    3389 (or 389)
    permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
    2560
    permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
    range 7001 7002
    permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
    range 8080 8084
    permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
    range 8090 8091
    permit icmp any any echo-reply log-input
    deny icmp any any
    permit ip any any log-input
    no cdp run
     
    garrisb, Dec 9, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page