help with ACLs

Discussion in 'Cisco' started by Unknown, May 1, 2005.

  1. Unknown

    Unknown Guest

    hi,

    how would i implement an access control list on a cisco router?

    lets say i have a mini network setup, with 8 computers and 4 routers. and
    each 2 set computer is attached to a switch. (so it will look like a star
    network)

    how would i;

    stop a telnet from a workstation to a router,
    stop a ping from a workstation to a workstation.

    thanx

    Jon
     
    Unknown, May 1, 2005
    #1
    1. Advertising

  2. In article <Ai4de.3371$>,
    "Unknown" <> wrote:

    > hi,
    >
    > how would i implement an access control list on a cisco router?
    >
    > lets say i have a mini network setup, with 8 computers and 4 routers. and
    > each 2 set computer is attached to a switch. (so it will look like a star
    > network)
    >
    > how would i;
    >
    > stop a telnet from a workstation to a router,


    Define an ACL like:

    access-list 1 deny host <blocked-addr>
    access-list 1 permit any

    and associate it with the telnet virtual terminals with:

    line vty 0 5
    access-class 1 in

    > stop a ping from a workstation to a workstation.


    Configure an ACL like:

    access-list 101 deny icmp host <source-addr> host <dest-addr> echo
    access-list 101 permit ip any any

    and associate it with an interface:

    interface Eth0
    ip access-group 101 out

    Since this is an outbound ACL, you should put it on the interface that
    <dest-addr> is connected to. You could also put it on <source-addr>'s
    interface, but then you would have to specify "in" instead of "out".

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, May 1, 2005
    #2
    1. Advertising

  3. Unknown

    Unknown Guest

    hi,

    this is wat i got;

    To block a telnet from workstation 5 to Boaz



    Boaz(config)#access-list 1 deny host 128.34.2.2
    Boaz(config)#access-list 1 permit any



    Boaz(config-line)#line vty 0 4

    Boaz(config-line)#access-class 1 in



    To block a ping from workstation 3 to workstation 5





    Boaz(config)#access-list 101 deny icmp 128.34.4.2 128.34.5.2 echo
    Boaz(config)#access-list 101 permit tcp any any



    Boaz(config-line)#interface Eth0
    Boaz(config-line)#ip access-group 101 out



    is that correct?



    thanx



    jon



    "Barry Margolin" <> wrote in message
    news:...
    > In article <Ai4de.3371$>,
    > "Unknown" <> wrote:
    >
    > > hi,
    > >
    > > how would i implement an access control list on a cisco router?
    > >
    > > lets say i have a mini network setup, with 8 computers and 4 routers.

    and
    > > each 2 set computer is attached to a switch. (so it will look like a

    star
    > > network)
    > >
    > > how would i;
    > >
    > > stop a telnet from a workstation to a router,

    >
    > Define an ACL like:
    >
    > access-list 1 deny host <blocked-addr>
    > access-list 1 permit any
    >
    > and associate it with the telnet virtual terminals with:
    >
    > line vty 0 5
    > access-class 1 in
    >
    > > stop a ping from a workstation to a workstation.

    >
    > Configure an ACL like:
    >
    > access-list 101 deny icmp host <source-addr> host <dest-addr> echo
    > access-list 101 permit ip any any
    >
    > and associate it with an interface:
    >
    > interface Eth0
    > ip access-group 101 out
    >
    > Since this is an outbound ACL, you should put it on the interface that
    > <dest-addr> is connected to. You could also put it on <source-addr>'s
    > interface, but then you would have to specify "in" instead of "out".
    >
    > --
    > Barry Margolin,
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
     
    Unknown, May 1, 2005
    #3
  4. In article <kA8de.3553$>,
    "Unknown" <> wrote:

    > hi,
    >
    > this is wat i got;
    >
    > To block a telnet from workstation 5 to Boaz
    >
    >
    >
    > Boaz(config)#access-list 1 deny host 128.34.2.2
    > Boaz(config)#access-list 1 permit any
    >
    >
    >
    > Boaz(config-line)#line vty 0 4
    >
    > Boaz(config-line)#access-class 1 in
    >
    >
    >
    > To block a ping from workstation 3 to workstation 5
    >
    >
    >
    >
    >
    > Boaz(config)#access-list 101 deny icmp 128.34.4.2 128.34.5.2 echo


    You're missing the keyword "host" before each IP. Didn't it complain
    when you tried to type this, since the syntax is incorrect?

    Also, this blocks pings from workstation 5 to workstation 3. The source
    is first, the destination is second.

    > Boaz(config)#access-list 101 permit tcp any any


    That should be "ip", not "tcp".

    > Boaz(config-line)#interface Eth0
    > Boaz(config-line)#ip access-group 101 out


    I assume Eth0 is the interface that

    >
    >
    >
    > is that correct?


    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, May 1, 2005
    #4
  5. Unknown

    strider Guest

    Unknown wrote:
    > hi,
    >
    > how would i implement an access control list on a cisco router?
    >
    > lets say i have a mini network setup, with 8 computers and 4 routers.

    and
    > each 2 set computer is attached to a switch. (so it will look like a

    star
    > network)
    >
    > how would i;
    >
    > stop a telnet from a workstation to a router,
    > stop a ping from a workstation to a workstation.
    >
    > thanx
    >
    > Jon


    Is this all you are trying to do?
    Is there any other permits or denys that need to be implemented?
    Email me and I will be happy to discuss this with you.

    Jon C.
     
    strider, May 2, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jens Benecke
    Replies:
    14
    Views:
    1,037
    Richard Foster
    Nov 26, 2003
  2. Marty Reynolds

    ACLs & Cisco 2501/IOS12

    Marty Reynolds, Nov 11, 2003, in forum: Cisco
    Replies:
    13
    Views:
    2,557
    Netnews Marty
    Nov 15, 2003
  3. Tom Hickory
    Replies:
    2
    Views:
    2,069
    Hansang Bae
    Nov 23, 2003
  4. Cakeholes
    Replies:
    1
    Views:
    1,976
    Walter Roberson
    Jan 12, 2005
  5. McDouglas

    Need help with ACLs

    McDouglas, Oct 1, 2007, in forum: Cisco
    Replies:
    1
    Views:
    372
    thort
    Oct 2, 2007
Loading...

Share This Page