Simple acl question?

Discussion in 'Cisco' started by mg, Dec 3, 2003.

  1. mg

    mg Guest

    Hi, I need to allow all protocols from my DMZ to one internal hosts... just
    for a few days. There are other rules in this list that I don't want down
    while I play with php, oracle and a few other things.

    Is this even possible?

    access-list 170 permit tcp host 203.xx.xx.xx any eq pop3
    access-list 170 permit tcp host 203.xx.xx.xx any eq 22
    >>>>> access-list 170 permit tcp host 203.xx.xx.xx 10.xx.xx.xx any <<<<<<

    access-list 170 permit icmp any any echo
    access-list 170 permit icmp any any echo-reply
    access-list 170 deny ip any any log

    I tried but failed. Apologies if this is a dumb question, routers are not my
    thing, Tia.
    mg, Dec 3, 2003
    #1
    1. Advertising

  2. > Hi, I need to allow all protocols from my DMZ to one internal hosts...
    just
    > for a few days. There are other rules in this list that I don't want down
    > while I play with php, oracle and a few other things.
    >
    > Is this even possible?
    >
    > access-list 170 permit tcp host 203.xx.xx.xx any eq pop3
    > access-list 170 permit tcp host 203.xx.xx.xx any eq 22
    > >>>>> access-list 170 permit tcp host 203.xx.xx.xx 10.xx.xx.xx any <<<<<<

    > access-list 170 permit icmp any any echo
    > access-list 170 permit icmp any any echo-reply
    > access-list 170 deny ip any any log
    >
    > I tried but failed. Apologies if this is a dumb question, routers are not

    my
    > thing, Tia.

    think that something like that:
    int <your LAN interface>
    ip access-group templist in

    ip access-list extended templist
    permit ip 203... <inverce mask> <ip of one internal host>



    --
    With best regards,
    Vitaly Gonchar

    IT-Manager of Infopulse Ukraine Ltd.
    ICQ:#95041222, homepage: http://www.gonchar.org
    Vitaly Gonchar, Dec 3, 2003
    #2
    1. Advertising

  3. In article <Ofizb.37523$>,
    mg <> wrote:
    :Hi, I need to allow all protocols from my DMZ to one internal hosts... just
    :for a few days. There are other rules in this list that I don't want down
    :while I play with php, oracle and a few other things.

    : Is this even possible?

    Sure.


    :access-list 170 permit tcp host 203.xx.xx.xx any eq pop3
    :access-list 170 permit tcp host 203.xx.xx.xx any eq 22
    :>>>>> access-list 170 permit tcp host 203.xx.xx.xx 10.xx.xx.xx any <<<<<<

    If 10.xx.xx.xx represents on specific internal host, and
    host 203.xx.xx.xx is your DMZ, and access-list 170 is applied
    against 'in' to your DMZ interface, then you would use

    access-list 170 permit ip host 203.xx.xx.xx host 10.xx.xx.xx

    The keyword 'host' only applies to what follows immediately afterwards.
    host 203.xx.xx.xx is equivilent to 203.xx.xx.xx 0.0.0.0

    The keyword 'any' is only used to replace a destination IP in the syntax.
    'any' is equivilent to 0.0.0.0 255.255.255.255 .

    You do not need to specifically note that you want all ports to
    accessible: all ports is the default unless you constrain it.
    --
    Whose posting was this .signature Google'd from?
    Walter Roberson, Dec 3, 2003
    #3
  4. mg

    mg Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bql3rn$2cv$...

    > The keyword 'any' is only used to replace a destination IP in the syntax.
    > 'any' is equivilent to 0.0.0.0 255.255.255.255 .


    Thanks so much, worked perfectly.
    mg, Dec 4, 2003
    #4
  5. mg

    pedski Guest

    the word any can be used in both destination and source
    it is equ

    it is equivalent to
    0.0.0.0 0.0.0.0

    mg wrote:
    > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > news:bql3rn$2cv$...
    >
    >
    >>The keyword 'any' is only used to replace a destination IP in the syntax.
    >>'any' is equivilent to 0.0.0.0 255.255.255.255 .

    >
    >
    > Thanks so much, worked perfectly.
    >
    >
    pedski, Dec 6, 2003
    #5
  6. In article <>,
    pedski <> wrote:
    :the word any can be used in both destination and source

    :it is equivalent to
    :0.0.0.0 0.0.0.0

    The original poster used a numbered access list, and included a 'log'
    parameter at the end of one of the entries. These hint that the
    original poster was using IOS instead of PIX. In IOS, 'any' is
    0.0.0.0 255.255.255.255

    http://www.cisco.com/univercd/cc/td...ios121/121cgcr/ip_r/iprprt1/1rdip.htm#1028163


    In PIX 'any' would be 0.0.0.0 0.0.0.0 because PIX acls use netmask
    type bits instead of wildcard bits. PIX acls -can- be numbered, but
    the number is just another form of a name to the PIX. On the PIX,
    denials by an ACL result in a log entry provided that your logging level
    is 4 or above, unless you turn off message number 106023. Adding the
    'log' keyword to a PIX acl does have meaning: it results in the
    generation of message number 106100 with a default level of 6 -- so
    unless you had specifically turned off 106023 then on the PIX,
    the 106023 (level 4) would be logged under any circumstance that
    the 106100 (level 6) would be, so the 'log' statement would be somewhat
    redundant. On the PIX, if one is going to bother to use 'log' in
    an ACL, one would usually use the 'level' option to push the logging level
    higher to allow the entry to be logged without having to drop to level 6.

    Based on this analysis, I suggest to you that the original poster was
    much more likely to be using IOS than PIX, and thus that my original
    statement of 'any' as 0.0.0.0 255.255.255.255 was correct.
    --
    Come to think of it, there are already a million monkeys on a million
    typewriters, and Usenet is NOTHING like Shakespeare. -- Blair Houghton.
    Walter Roberson, Dec 6, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    607
    Shad T
    Jun 29, 2004
  2. Vimokh
    Replies:
    3
    Views:
    5,658
    Vimokh
    Sep 6, 2006
  3. Replies:
    7
    Views:
    4,232
    Kimba W. Lion
    Jan 26, 2007
  4. Kim
    Replies:
    10
    Views:
    480
  5. MeekiMoo
    Replies:
    0
    Views:
    645
    MeekiMoo
    Jul 28, 2009
Loading...

Share This Page