7/30/2019 Status Acl

http://slidepdf.com/reader/full/status-acl 1/5

Status:

Setting up basic ACL's on Cisco 2600 

OK, I have a small project I'm working on. To start with, here's the basic network map:

I'm looking to set up some very basic access control lists for using the router as a firewall. (This is arequirement for the class I'm doing this for, so don't ask me why I'm not using a regular firewall.)Since we're only dealing with these three servers (web, email and FTP), we're only concerned withports 80, 25, 20/21 and 110. However, Windows ephemeral ports 49151-65535 have to beconsidered as well.

Here's what I have so far:Code:

!Access List #1

!Applied to e0/0!

Router(config)# access-list 1 permit tcp any eq 80

Router(config)# access-list 1 permit tcp any eq 25

Router(config)# access-list 1 permit tcp any eq 110

Router(config)# access-list 1 permit tcp any eq 20

Router(config)# access-list 1 permit tcp any eq 21

Router(config)# access-list 1 permit tcp any range 49151-65535

Router(config)# access-list 1 deny ip any any

!

!

!end

7/30/2019 Status Acl

http://slidepdf.com/reader/full/status-acl 2/5

!Access List #2

!Applied to e0/1

!

Router(config)# access-list 2 permit tcp any eq 80

Router(config)# access-list 2 permit tcp any eq 25

Router(config)# access-list 2 deny tcp any eq 110

Router(config)# access-list 2 permit tcp any eq 20Router(config)# access-list 2 permit tcp any eq 21

Router(config)# access-list 2 permit tcp any range 49151-65535

Router(config)# access-list 2 permit icmp any any

Router(config)# access-list 2 deny ip any any

!

!

!end

 Am I on the right track here? I don't want to be missing something huge. __________________ i7 3930K ~ Asus P9X79 ProDD D5 with EK X-top Rev. 2, Heatkiller CU 3.0 Nickel, BIX Quad Radiator Triple 7970's with EK FC-7970 CSQ nickel/acetal blocks & FC-link ~ 4 x 8GB Corsair Dominator GT DDR3-1866Dual Corsair Force 120GB in Raid 0 ~ Lite-On BluRay Reader ~ Corsair AX1200 Power Supply ~ Silverstone TJ07

#2 

05-08-2008, 08:17 AM

Fint [H]ard|Gawd, 9.2 Years  Status:

Your syntax is wrong for an ACL.

RTI-VB(config)#access-list 2 permit tcp any eq 80Translating "tcp"^

% Invalid input detected at '^' marker.

RTI-VB(config)#access-list 2 permit ?Hostname or A.B.C.D Address to matchany Any source hosthost A single host address

There is usually no point in blocking at both interfaces.

#3 05-08-2008, 01:02 PM

blk95civicex Limp Gawd, 10.6 Years  Status:

I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to melike all of those ports are open to any of the servers. Something like below maybe??

**********

!Access List #2!Applied to e0/1!Router(config)# access-list 2 deny tcp any any eq 110Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80

Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20

7/30/2019 Status Acl

http://slidepdf.com/reader/full/status-acl 3/5

Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21Router(config)# access-list 2 permit tcp any range 49151-65535Router(config)# access-list 2 permit icmp any anyRouter(config)# access-list 2 deny ip any any!!

!end

**********

 Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have helped,

but no gaurantees

#4 05-08-2008, 01:43 PM

Impulse25 n00bie, 7.6 Years  Status:

If you want to block explicit ports you have to use an extended access list which are numbered 100-199:

i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host

 Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or networkonly

i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1

#5 05-08-2008, 01:59 PM

blk95civicex Limp Gawd, 10.6 Years  Status:

 Ah yes, I forgot to change the access-list name in my example.

#6 

05-08-2008, 02:05 PM

t_ski [H]ardness Supreme, 7.2 Years  Status:

Quote:

Originally Posted by Fint 

There is usually no point in blocking at both interfaces.I forgot to mention that these were being applied to the "in" side of each of the ports. Port e0/0 wastraffic from the internet through the router to the DMZ/LAN. Port e0/1 was traffice from the DMZ/LANthrough the router to the internet.

I think I need a statement to apply the access-group as well. Something like:

Code:

(Config)# int e0/0

Router(config-if)# ip access-group 100 in

(Config)# int e0/1

Router(config-if)# ip access-group 101 in

7/30/2019 Status Acl

http://slidepdf.com/reader/full/status-acl 4/5

Quote:

Originally Posted by blk95civicex I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to melike all of those ports are open to any of the servers. Something like below maybe??

********** 

!Access List #2 !Applied to e0/1! Router(config)# access-list 2 deny tcp any any eq 110 Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80 Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21Router(config)# access-list 2 permit tcp any range 49151-65535 Router(config)# access-list 2 permit icmp any any Router(config)# access-list 2 deny ip any any ! ! !end 

********** 

 Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have

helped, but no gaurantees

Yes, that makes sense. That just gets applied to the e0/1 inteface, or on both sides?

Quote:

Originally Posted by Impulse25 If you want to block explicit ports you have to use an extended access list which are numbered 100-199:

i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host 

 Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or network only 

i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1

OK, that clears up the info I was reading. I didn't understand the difference between standard andextended access lists. So how about this for the new text:

Code:

!Access List #100

!Applied to e0/0 coming in from the internet

!

Router(config)# access-list 100 permit tcp any eq 80

Router(config)# access-list 100 permit tcp any eq 25

Router(config)# access-list 100 permit tcp any eq 110

Router(config)# access-list 100 permit tcp any eq 20

Router(config)# access-list 100 permit tcp any eq 21

Router(config)# access-list 100 permit tcp any range 49151-65535

Router(config)# access-list 100 deny ip any any

!

!

7/30/2019 Status Acl

http://slidepdf.com/reader/full/status-acl 5/5

!end

!Access List #101

!Applied to e0/1 going out of the DMZ

!Router(config)# access-list 101 deny tcp any eq 110

Router(config)# access-list 101 permit tcp any host 10.20.1.1 eq 80

Router(config)# access-list 101 permit tcp any host 10.20.1.2 eq 25

Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq 20

Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq 21

Router(config)# access-list 101 permit tcp any range 49151-65535

Router(config)# access-list 101 permit icmp any any

Router(config)# access-list 101 deny ip any any

!

!

!end

I know I'm supposed to deny a local ip address from accessing the network from the internet. ShouldI add the folllowing to ACL #100:

Code:

Router(config)# access-list 100 deny host 10.20.0.0 255.255.255.0 any

 __________________ i7 3930K ~ Asus P9X79 ProDD D5 with EK X-top Rev. 2, Heatkiller CU 3.0 Nickel, BIX Quad Radiator Triple 7970's with EK FC-7970 CSQ nickel/acetal blocks & FC-link ~ 4 x 8GB Corsair Dominator GT DDR3-1866Dual Corsair Force 120GB in Raid 0 ~ Lite-On BluRay Reader ~ Corsair AX1200 Power Supply ~ Silverstone TJ07