basic ACL help pls

Discussion in 'Cisco' started by Brian, Mar 24, 2009.

  1. Brian

    Brian Guest

    I need some basic IOS ACL help. We have the following config:

    version 12.3
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service udp-small-servers
    service tcp-small-servers
    !
    !
    boot-start-marker
    boot-end-marker
    !
    no logging console
    enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    !
    !
    no ftp-server write-enable
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 1.2.3.4 255.255.255.248
    speed 100
    full-duplex
    !
    interface Serial0/0
    no ip address
    encapsulation frame-relay IETF
    no ip mroute-cache
    no fair-queue
    service-module t1 timeslots 1-24
    !
    interface Serial0/0.1 point-to-point
    bandwidth 1536
    ip address 4.5.6.7 255.255.255.252
    ip access-group 120 in
    no cdp enable
    frame-relay interface-dlci 500 IETF
    !
    interface Serial1/0
    no ip address
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0.1
    no ip http server
    !
    no cdp run
    !
    line con 0
    exec-timeout 0 0
    password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
    line aux 0
    login
    transport input all
    line vty 0 4
    password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
    login
    line vty 5 15
    password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
    login
    !
    !
    end



    The FE interface is a public IP. The device connected to this is VPN device
    that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL traffic
    destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial
    interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone help
    me with the ACL for this?

    Thanks...
     
    Brian, Mar 24, 2009
    #1
    1. Advertising

  2. Brian

    bod43 Guest

    On 24 Mar, 20:36, Brian <> wrote:
    > I need some basic IOS ACL help.  We have the following config:
    >
    > version 12.3
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > service udp-small-servers
    > service tcp-small-servers
    > !
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > no logging console
    > enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > !
    > mmi polling-interval 60
    > no mmi auto-configure
    > no mmi pvc
    > mmi snmp-timeout 180
    > no aaa new-model
    > ip subnet-zero
    > ip cef
    > !
    > !
    > !
    > no ftp-server write-enable
    > !
    > !
    > !
    > !
    > interface FastEthernet0/0
    >  ip address 1.2.3.4 255.255.255.248
    >  speed 100
    >  full-duplex
    > !
    > interface Serial0/0
    >  no ip address
    >  encapsulation frame-relay IETF
    >  no ip mroute-cache
    >  no fair-queue
    >  service-module t1 timeslots 1-24
    > !
    > interface Serial0/0.1 point-to-point
    >  bandwidth 1536
    >  ip address 4.5.6.7 255.255.255.252
    >  ip access-group 120 in
    >  no cdp enable
    >  frame-relay interface-dlci 500 IETF
    > !
    > interface Serial1/0
    >  no ip address
    >  shutdown
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0/0.1
    > no ip http server
    > !
    > no cdp run
    > !
    > line con 0
    >  exec-timeout 0 0
    >  password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
    > line aux 0
    >  login
    >  transport input all
    > line vty 0 4
    >  password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
    >  login
    > line vty 5 15
    >  password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
    >  login
    > !
    > !
    > end
    >
    > The FE interface is a public IP.  The device connected to this is VPN device
    > that also has an IP in the range, let's say 1.2.3.5.  I need to pass ALL traffic
    > destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the serial
    > interface on 4.5.6.7 to be pingable or accessible by telnet.  Can someone help
    > me with the ACL for this?
    >
    > Thanks...


    Well, sure, however doing this while clueless is not exactly
    the best plan ever. It's not that hard to work out.

    I suggest that you figure out what this will do
    before applying it.

    ! Assuming:-
    ! Serial 0/0.1 is your Internet interface.
    ! That you want to block traffic from the Internet
    ! as you have defined.
    ! You want to use access-list 120 as already applied
    ! but not defined.


    ! Let's remove the access-group command to prevent the partially
    ! configured access list from becoming active.

    int se 0/0.1
    no ip access-group 120 in

    ! block icmp echo request packets - ping request
    access-l 120 deny icmp any host 1.2.3.4 echo
    access-l 120 deny icmp any host 4.5.6.7 echo

    ! block telnet - tcp port 23
    access-l 120 deny tcp any host 1.2.3.4 eq 23
    access-l 120 deny tcp any host 4.5.6.7 eq 23
    access-l 120 permit ip any any

    ! Check that the config is as you expect
    ! then ...

    ! Now apply the ACL to the interface

    int se 0/0.1
    no ip access-group 120 in
     
    bod43, Mar 24, 2009
    #2
    1. Advertising

  3. Brian

    Thrill5 Guest

    Inbound telnet access to the router should be applied using an ACL on the
    VTY ports, not on the interfaces.

    access-list 1 permit 10.0.0.0 255.0.0.0

    vty 0 4
    access-class 1 in

    This will allow inbound telnet sessions that have a "10" source address.
    This is much more secure than blocking each inbound interface because it
    applied globally to all inbound telnet sessions to the router.

    "bod43" <> wrote in message
    news:...
    On 24 Mar, 20:36, Brian <> wrote:
    > I need some basic IOS ACL help. We have the following config:
    >
    > version 12.3
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > service udp-small-servers
    > service tcp-small-servers
    > !
    > end
    >
    > The FE interface is a public IP. The device connected to this is VPN
    > device
    > that also has an IP in the range, let's say 1.2.3.5. I need to pass ALL
    > traffic
    > destined for 1.2.3.5 but I don't want the FE interface on 1.2.3.4 or the
    > serial
    > interface on 4.5.6.7 to be pingable or accessible by telnet. Can someone
    > help
    > me with the ACL for this?
    >
    > Thanks...


    Well, sure, however doing this while clueless is not exactly
    the best plan ever. It's not that hard to work out.

    I suggest that you figure out what this will do
    before applying it.

    ! Assuming:-
    ! Serial 0/0.1 is your Internet interface.
    ! That you want to block traffic from the Internet
    ! as you have defined.
    ! You want to use access-list 120 as already applied
    ! but not defined.


    ! Let's remove the access-group command to prevent the partially
    ! configured access list from becoming active.

    int se 0/0.1
    no ip access-group 120 in

    ! block icmp echo request packets - ping request
    access-l 120 deny icmp any host 1.2.3.4 echo
    access-l 120 deny icmp any host 4.5.6.7 echo

    ! block telnet - tcp port 23
    access-l 120 deny tcp any host 1.2.3.4 eq 23
    access-l 120 deny tcp any host 4.5.6.7 eq 23
    access-l 120 permit ip any any

    ! Check that the config is as you expect
    ! then ...

    ! Now apply the ACL to the interface

    int se 0/0.1
    no ip access-group 120 in
     
    Thrill5, Mar 25, 2009
    #3
  4. Brian

    bod43 Guest

    On 25 Mar, 06:13, "Thrill5" <> wrote:
    > Inbound telnet access to the router should be applied using an ACL on the
    > VTY ports, not on the interfaces.


    Seems a fine plan. Thanks.
     
    bod43, Mar 25, 2009
    #4
  5. Brian

    Brian Guest

    "Thrill5" <> wrote:

    |Inbound telnet access to the router should be applied using an ACL on the
    |VTY ports, not on the interfaces.
    |
    |access-list 1 permit 10.0.0.0 255.0.0.0
    |
    |vty 0 4
    | access-class 1 in
    |
    |This will allow inbound telnet sessions that have a "10" source address.
    |This is much more secure than blocking each inbound interface because it
    |applied globally to all inbound telnet sessions to the router.

    Can you show me what the ACLs would look like for the entire setup?
     
    Brian, Mar 27, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    655
    Shad T
    Jun 29, 2004
  2. David Hodgson

    DOH! I need some ACL basic help!

    David Hodgson, Aug 18, 2004, in forum: Cisco
    Replies:
    3
    Views:
    601
    Anthony Swanson
    Aug 18, 2004
  3. olabanji  timothy

    pls, help.. i need a number..pls

    olabanji timothy, Sep 9, 2003, in forum: MCSE
    Replies:
    7
    Views:
    834
  4. Vimokh
    Replies:
    3
    Views:
    5,725
    Vimokh
    Sep 6, 2006
  5. Replies:
    2
    Views:
    674
    trouble
    Aug 16, 2008
Loading...

Share This Page