Link to home
Start Free TrialLog in
Avatar of Raymond
RaymondFlag for Hong Kong

asked on

ACL problem in Cisco 25xx routers.

I want to apply some restrictions to the network by using Extended ACL.

The restrictions are:

1. No restriction in Internal network.
2. Internal to External network: Telnet only.
3. External to Internal network: Can only make Telnet connection to one Router.

The Internal network is connected to External network by ONE serial connection.

All routers are Cisco 25xx series.

What access-lists should be applied to the network ?
Where should the access-list be applied to ?


regards,
Raymond
Avatar of geoffryn
geoffryn

10.10.10.0  internal
192.168.1.0 external
10.10.10.31 router


access-list 101 permit tcp 10.10.10.0 0.0.0.255 eq 23 any gt 1023
access-list 101 permit tcp host 10.10.10.31 gt 1023 any eq 23
access-list 102 permit tcp 192.168.61.0 0.0.0.255 eq 23 10.10.10.31 gt 1023


router:<config-int "internal"> access-group 101 out
router:<config-int "external">access-group 102 in
I'll reuse geoffryn's addresses, assuming class for both, though for the rest of geoffryn's suggestion I can only say: "geoffryn, don't smoke anything you can't buy in a supermarket" ;-) How about return traffic and what about those directions???

Based on the 1st restriction, I won't apply the acl's on the internal interface, as this will restrict access to the router itself, but on in and out on the external interface.

access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23
access-list 101 permit tcp host 10.10.10.31 eq 23 any gt 1023 established

access-list 102 permit tcp any eq 23 10.10.10.0 0.0.0.255 gt 1023 established
access-list 102 permit tcp any gt 1023 host 10.10.10.31 eq 23

router:<config-int "external">access-group 101 out
router:<config-int "external">access-group 102 in

Of course, if external network is only supposed to be 192.168.1.0 then "any" can be replace by "192.168.1.0 0.0.0.255"
You're right, thats just bad.

Never get in a hurry on too little caffine
Avatar of Raymond

ASKER

Thanx, svindler !

but I still have two questions regarding your suggested ACLs.

1. What is the different between
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23"
   and
   "access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 23" ?

2. What does the keyword "established" mean ?

Thanx very much.


regards,
Raymond
The first specifies the the source port must be higher that 1023.  Originating a connection on a well known/service port is potentially exploitable.

The second specifies that the traffic will only be allowed if it is in response to a connection originating from the inside or "established"
ASKER CERTIFIED SOLUTION
Avatar of svindler
svindler

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Raymond

ASKER

Thanx a lot !!!