duficy
asked on
need ACL for my 3640 to permit HTTP, email, and DNS
Assume webserver ip of 63.63.63.63 SSL server 63.63.63.64 smtp 63.63.63.65 pop/imap server 63.6363.66 dns server 63.63.63.67 dns slave 66.66.66.66 and local users on network 63.63.63.0/24
I'm trying to configure my ACL to allow outsite users access (and protect) my servers and at the same time allow give my local users access to http,https,ftp and email. I plan to put the following on Serial interface.
local net of 63.63.63.0/24
>>>incoming traffic<<<<<<<<
remark PROTECT FTP
access-list 101 permit tcp any gt 1023 host 63.63.63.63 eq 21
access-list 101 permit tcp any gt 1023 host 63.63.63.63 eq 20 established
access-list 101 permit tcp any gt 1023 host 63.63.63.63 gt 1023
access-list 101 permit tcp any 21 host 63.63.63.63 gt 1023 established
access-list 101 permit tcp any 20 host 63.63.63.63 gt 1023
access-list 101 permit tcp gt 1023 host 63.63.63.63 gt 1023 established
remark PROTECT HTTP
access-list 101 permit tcp any gt 1023 host 63.6.63.63 80
access-list 101 permit tcp any 80 63.63.63.0 0.0.0.255 gt 1023 established
access-list 101 permit tcp any gt 1023 host 63.6.63.64 443
access-list 101 permit tcp any 443 63.63.63.0 0.0.0.255 gt 1023 established
remark PROTECT EMAIL
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 25
access-list 101 permit tcp any gt 1023 63.63.63.0 0.0.0.255 eq 25
access-list 101 permit tcp any gt 1023 host 63.63.63.66 eq 110
access-list 101 permit tcp any gt 1023 host 63.63.63.66 eq 143
remark PROTECT DNS
access-list 101 permit tcp host 63.63.63.66 gt 1023 any eq 53
access-list 101 permit udp host 63.63.63.66 gt 1023 any eq 53
access-list 101 permit host 63.63.63.66 host gt 1023 66.66.66.66 53
deny any any
>>>outgoing traffic<<<<<<<<<
remark PROTECT FTP
access-list 102 permit tcp 63.63.63.0 0.0.255 21 any gt 1023 any established
access-list 102 permit tcp 63.63.63.0 0.0.255 20 any gt 1023 any
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any gt 1023 established
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any 21
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any 20 established
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any gt 1023
remark PROTECT HTTP
access-list 102 permit tcp 63.63.63.0 80 any gt 1023 established
access-list 102 63.63.63.0 0.0.0.255 gt 1023 any 80
access-list 102 permit tcp 63.63.63.0 443 any gt 1023 established
access-list 102 63.63.63.0 0.0.0.255 gt 1023 any 443
remark PROTECT EMAIL
access-list 101 permit tcp any gt 1023 any eq 25
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 110
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 143
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 110
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 143
remark PROTECT DNS
access-list 101 permit tcp host 63.63.63.67 gt 1023 any eq 53
access-list 101 permit udp host 63.63.63.67 gt 1023 any eq 53
access-list 101 permit tcp host 63.63.63.67 host 66.66.66.66 eq 53
deny any any
I'm trying to configure my ACL to allow outsite users access (and protect) my servers and at the same time allow give my local users access to http,https,ftp and email. I plan to put the following on Serial interface.
local net of 63.63.63.0/24
>>>incoming traffic<<<<<<<<
remark PROTECT FTP
access-list 101 permit tcp any gt 1023 host 63.63.63.63 eq 21
access-list 101 permit tcp any gt 1023 host 63.63.63.63 eq 20 established
access-list 101 permit tcp any gt 1023 host 63.63.63.63 gt 1023
access-list 101 permit tcp any 21 host 63.63.63.63 gt 1023 established
access-list 101 permit tcp any 20 host 63.63.63.63 gt 1023
access-list 101 permit tcp gt 1023 host 63.63.63.63 gt 1023 established
remark PROTECT HTTP
access-list 101 permit tcp any gt 1023 host 63.6.63.63 80
access-list 101 permit tcp any 80 63.63.63.0 0.0.0.255 gt 1023 established
access-list 101 permit tcp any gt 1023 host 63.6.63.64 443
access-list 101 permit tcp any 443 63.63.63.0 0.0.0.255 gt 1023 established
remark PROTECT EMAIL
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 25
access-list 101 permit tcp any gt 1023 63.63.63.0 0.0.0.255 eq 25
access-list 101 permit tcp any gt 1023 host 63.63.63.66 eq 110
access-list 101 permit tcp any gt 1023 host 63.63.63.66 eq 143
remark PROTECT DNS
access-list 101 permit tcp host 63.63.63.66 gt 1023 any eq 53
access-list 101 permit udp host 63.63.63.66 gt 1023 any eq 53
access-list 101 permit host 63.63.63.66 host gt 1023 66.66.66.66 53
deny any any
>>>outgoing traffic<<<<<<<<<
remark PROTECT FTP
access-list 102 permit tcp 63.63.63.0 0.0.255 21 any gt 1023 any established
access-list 102 permit tcp 63.63.63.0 0.0.255 20 any gt 1023 any
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any gt 1023 established
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any 21
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any 20 established
access-list 102 permit tcp 63.63.63.0 0.0.255 gt 1023 any gt 1023
remark PROTECT HTTP
access-list 102 permit tcp 63.63.63.0 80 any gt 1023 established
access-list 102 63.63.63.0 0.0.0.255 gt 1023 any 80
access-list 102 permit tcp 63.63.63.0 443 any gt 1023 established
access-list 102 63.63.63.0 0.0.0.255 gt 1023 any 443
remark PROTECT EMAIL
access-list 101 permit tcp any gt 1023 any eq 25
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 110
access-list 101 permit tcp any gt 1023 host 63.63.63.65 eq 143
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 110
access-list 101 permit tcp 63.63.63.0 0.0.0.255 any eq 143
remark PROTECT DNS
access-list 101 permit tcp host 63.63.63.67 gt 1023 any eq 53
access-list 101 permit udp host 63.63.63.67 gt 1023 any eq 53
access-list 101 permit tcp host 63.63.63.67 host 66.66.66.66 eq 53
deny any any
ASKER
My question is will the list allow customers on the outside to access the listed services but block other services and allow my users on my network to access these services on the Internet.
>>Also as an FYI, the "deny any any" is redundant
Thanks I thought I read somewhere that it was a good idea to add this albeit redunant statement.
Thanks,
>>Also as an FYI, the "deny any any" is redundant
Thanks I thought I read somewhere that it was a good idea to add this albeit redunant statement.
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
duficy:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
Also as an FYI, the "deny any any" is redundant since this is implied at the bottom of any ACL.