Access List Allow Traffic From a Public IP and port
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
Access List Allow Traffic From a Public IP and port

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
spooke
Guest
Posted: Wed Dec 07, 2005 2:14 am    Post subject: Access List Allow Traffic From a Public IP and port Reply with quote
Hi all
on a 1720 with ios 12.2(8)T10 i have some access list and with these i
deny the traffic from all the tcp ports except from the well known (80, 23,
etc).
Now I have to allow the traffic from some specific public ip on some
specific ports to a specific host of my network.

First question: Is right the access list that you find down in this
document?

Second question: I have to allow the same for these ip 80.207.109.105 -
80.207.109.110 - 80.207.109.119 - 80.207.109.121 - 80.207.109.122 -
80.207.109.123 - 80.207.109.124, is there a method for don't rewrite the
lines that the traffic for one of the public ip? (i'm thinkng at the subnet
but i do not know how)

Excuse me for my english and many thanks to all
Gian Paolo


access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 443
access-list 102 permit udp any any eq 443
access-list 102 permit udp any any eq 23
access-list 102 permit udp any any eq 21
access-list 102 permit udp any any eq domain
access-list 102 permit udp any any eq 110
access-list 102 permit udp any any eq 25
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 80
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 389
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 443
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 eq 2560
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 7001
7002
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 8080
8084
access-list 102 permit tcp host 10.10.10.101 host 80.207.109.110 range 8090
8091
access-list 102 deny ip any any
Back to top
garrisb
Guest
Posted: Sat Dec 10, 2005 4:33 am    Post subject: Re: Access List Allow Traffic From a Public IP and port Reply with quote
Just need to understand you acl in order to say if it's right or
not....

Is this an Internet facing router? If so....
Is there a reason you're allowing ports like 23 and such from the
general internet? maybe a better way is to deny all and then allow
only what you need specifically....
If you require a terminal type access, I would use SSH...

do you really want port 389 or did you mean 3389 (remote desktop)

For 80.207.109.x, If this is from the internet, you should have a
device doing network translation for your "10.10.10.101" system...

ie...

using something like this is less burdensome but can accomplish the
same thing I THINK you're trying to achieve...( you can lock this down
even further... this says "if it's not one of the listed denys... allow
it)

!
interface <ADD INTERFACE>
ip access-group spooke in
!
ip access-list extended spooke
remark "EXAMPLE ACL"
deny ip any 0.0.0.0 0.255.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 127.0.0.0 0.255.255.255 log-input
deny ip any 169.254.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 192.0.2.0 0.0.0.255 log-input
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 224.0.0.0 7.255.255.255 log-input
deny ip any 255.0.0.0 0.255.255.255 log-input
deny ip any host 255.255.255.255 log-input
deny 55 any any log-input
deny 77 any any log-input
deny pim any any log-input
permit tcp host <ADD TELNET SPECIFIC IP FOR HOST/Pair fi you need
telnet otherwise, use ssh> eq telnet
deny tcp any any eq telnet log-input
deny tcp any any eq 135 log-input
deny udp any any eq 135 log-input
deny tcp any any eq 137 log-input
deny udp any any eq 137 log-input
deny tcp any any eq 139 log-input
deny udp any any eq 139 log-input
deny udp any any eq snmp log-input
deny udp any any eq 1993 log-input
deny udp any any eq tftp log-input
deny udp any any eq bootpc log-input
deny udp any any eq bootps log-input
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq 80
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
3389 (or 389)
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
2560
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
range 7001 7002
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
range 8080 8084
permit tcp host <ADD HOST NATT'D IP HERE..> host 80.207.109.110 eq
range 8090 8091
permit icmp any any echo-reply log-input
deny icmp any any
permit ip any any log-input
no cdp run
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB