Академический Документы
Профессиональный Документы
Культура Документы
OK, I have a small project I'm working on. To start with, here's the basic network map:
I'm looking to set up some very basic access control lists for using the router as a firewall. (This is a requirement for the class I'm doing this for, so don't ask me why I'm not using a regular firewall.) Since we're only dealing with these three servers (web, email and FTP), we're only concerned with ports 80, 25, 20/21 and 110. However, Windows ephemeral ports 49151-65535 have to be considered as well. Here's what I have so far:
Code:
!Access List #1 !Applied to e0/0 ! Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list ! ! !end
1 1 1 1 1 1 1
permit tcp any eq 80 permit tcp any eq 25 permit tcp any eq 110 permit tcp any eq 20 permit tcp any eq 21 permit tcp any range 49151-65535 deny ip any any
!Access List #2 !Applied to e0/1 ! Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list Router(config)# access-list ! ! !end
2 2 2 2 2 2 2 2
permit tcp any eq 80 permit tcp any eq 25 deny tcp any eq 110 permit tcp any eq 20 permit tcp any eq 21 permit tcp any range 49151-65535 permit icmp any any deny ip any any
#2 05-08-2008, 08:17 AM
Fint [H]ard|Gawd, 9.2 Years Your syntax is wrong for an ACL. RTI-VB(config)#access-list 2 permit tcp any eq 80 Translating "tcp" ^ % Invalid input detected at '^' marker. RTI-VB(config)#access-list 2 permit ? Hostname or A.B.C.D Address to match any Any source host host A single host address
Status:
Status:
I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to me like all of those ports are open to any of the servers. Something like below maybe?? ********** !Access List #2 !Applied to e0/1 ! Router(config)# access-list 2 deny tcp any any eq 110 Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80 Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20
Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21 Router(config)# access-list 2 permit tcp any range 49151-65535 Router(config)# access-list 2 permit icmp any any Router(config)# access-list 2 deny ip any any ! ! !end ********** Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have helped, but no gaurantees
#4 05-08-2008, 01:43 PM
Status:
If you want to block explicit ports you have to use an extended access list which are numbered 100199: i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or network only i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1
#5 05-08-2008, 01:59 PM
blk95civicex Limp Gawd, 10.6 Years Ah yes, I forgot to change the access-list name in my example.
#6 05-08-2008, 02:05 PM
Status:
Status:
Originally Posted by Fint There is usually no point in blocking at both interfaces. I forgot to mention that these were being applied to the "in" side of each of the ports. Port e0/0 was traffic from the internet through the router to the DMZ/LAN. Port e0/1 was traffice from the DMZ/LAN through the router to the internet. I think I need a statement to apply the access-group as well. Something like:
Code:
(Config)# int e0/0 Router(config-if)# ip access-group 100 in (Config)# int e0/1 Router(config-if)# ip access-group 101 in
Quote:
Originally Posted by blk95civicex I could be wrong, but I think you might want to specify internal hosts and their ports. It looks to me like all of those ports are open to any of the servers. Something like below maybe?? ********** !Access List #2 !Applied to e0/1 ! Router(config)# access-list 2 deny tcp any any eq 110 Router(config)# access-list 2 permit tcp any host 10.20.1.1 eq 80 Router(config)# access-list 2 permit tcp any host 10.20.1.2 eq 25 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 20 Router(config)# access-list 2 permit tcp any host 10.20.1.3 eq 21 Router(config)# access-list 2 permit tcp any range 49151-65535 Router(config)# access-list 2 permit icmp any any Router(config)# access-list 2 deny ip any any ! ! !end ********** Also, deny entries go before permits. I am definitely not an ACL expert however. Hope I have helped, but no gaurantees Yes, that makes sense. That just gets applied to the e0/1 inteface, or on both sides?
Quote:
Originally Posted by Impulse25 If you want to block explicit ports you have to use an extended access list which are numbered 100-199: i.e.: access-list 100 permit tcp any any eq 80 permits all http traffic from any host to any host Access lists 1-99 are standard access lists and allow/deny traffic based on a source host or network only i.e.: access-list 1 permit 1.1.1.1 0.0.0.0 permits all traffic from the host 1.1.1.1 OK, that clears up the info I was reading. I didn't understand the difference between standard and extended access lists. So how about this for the new text:
Code:
!Access List #100 !Applied to e0/0 coming in from ! Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 Router(config)# access-list 100 ! !
the internet permit tcp any eq 80 permit tcp any eq 25 permit tcp any eq 110 permit tcp any eq 20 permit tcp any eq 21 permit tcp any range 49151-65535 deny ip any any
!end
!Access List #101 !Applied to e0/1 going out of the DMZ ! Router(config)# access-list 101 deny tcp any eq 110 Router(config)# access-list 101 permit tcp any host 10.20.1.1 eq Router(config)# access-list 101 permit tcp any host 10.20.1.2 eq Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq Router(config)# access-list 101 permit tcp any host 10.20.1.3 eq Router(config)# access-list 101 permit tcp any range 49151-65535 Router(config)# access-list 101 permit icmp any any Router(config)# access-list 101 deny ip any any ! ! !end
80 25 20 21
I know I'm supposed to deny a local ip address from accessing the network from the internet. Should I add the folllowing to ACL #100:
Code: