Raymond
asked on
ACL problem in Cisco 25xx routers.
I want to apply some restrictions to the network by using Extended ACL.
The restrictions are:
1. No restriction in Internal network.
2. Internal to External network: Telnet only.
3. External to Internal network: Can only make Telnet connection to one Router.
The Internal network is connected to External network by ONE serial connection.
All routers are Cisco 25xx series.
What access-lists should be applied to the network ?
Where should the access-list be applied to ?
regards,
Raymond
The restrictions are:
1. No restriction in Internal network.
2. Internal to External network: Telnet only.
3. External to Internal network: Can only make Telnet connection to one Router.
The Internal network is connected to External network by ONE serial connection.
All routers are Cisco 25xx series.
What access-lists should be applied to the network ?
Where should the access-list be applied to ?
regards,
Raymond
I'll reuse geoffryn's addresses, assuming class for both, though for the rest of geoffryn's suggestion I can only say: "geoffryn, don't smoke anything you can't buy in a supermarket" ;-) How about return traffic and what about those directions???
Based on the 1st restriction, I won't apply the acl's on the internal interface, as this will restrict access to the router itself, but on in and out on the external interface.
access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23
access-list 101 permit tcp host 10.10.10.31 eq 23 any gt 1023 established
access-list 102 permit tcp any eq 23 10.10.10.0 0.0.0.255 gt 1023 established
access-list 102 permit tcp any gt 1023 host 10.10.10.31 eq 23
router:<config-int "external">access-group 101 out
router:<config-int "external">access-group 102 in
Of course, if external network is only supposed to be 192.168.1.0 then "any" can be replace by "192.168.1.0 0.0.0.255"
Based on the 1st restriction, I won't apply the acl's on the internal interface, as this will restrict access to the router itself, but on in and out on the external interface.
access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23
access-list 101 permit tcp host 10.10.10.31 eq 23 any gt 1023 established
access-list 102 permit tcp any eq 23 10.10.10.0 0.0.0.255 gt 1023 established
access-list 102 permit tcp any gt 1023 host 10.10.10.31 eq 23
router:<config-int "external">access-group 101 out
router:<config-int "external">access-group 102 in
Of course, if external network is only supposed to be 192.168.1.0 then "any" can be replace by "192.168.1.0 0.0.0.255"
You're right, thats just bad.
Never get in a hurry on too little caffine
Never get in a hurry on too little caffine
ASKER
Thanx, svindler !
but I still have two questions regarding your suggested ACLs.
1. What is the different between
"access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23"
and
"access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 23" ?
2. What does the keyword "established" mean ?
Thanx very much.
regards,
Raymond
but I still have two questions regarding your suggested ACLs.
1. What is the different between
"access-list 101 permit tcp 10.10.10.0 0.0.0.255 gt 1023 any eq 23"
and
"access-list 101 permit tcp 10.10.10.0 0.0.0.255 any eq 23" ?
2. What does the keyword "established" mean ?
Thanx very much.
regards,
Raymond
The first specifies the the source port must be higher that 1023. Originating a connection on a well known/service port is potentially exploitable.
The second specifies that the traffic will only be allowed if it is in response to a connection originating from the inside or "established"
The second specifies that the traffic will only be allowed if it is in response to a connection originating from the inside or "established"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx a lot !!!
192.168.1.0 external
10.10.10.31 router
access-list 101 permit tcp 10.10.10.0 0.0.0.255 eq 23 any gt 1023
access-list 101 permit tcp host 10.10.10.31 gt 1023 any eq 23
access-list 102 permit tcp 192.168.61.0 0.0.0.255 eq 23 10.10.10.31 gt 1023
router:<config-int "internal"> access-group 101 out
router:<config-int "external">access-group 102 in