Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Access lists

Posted on 2004-11-25
10
Medium Priority
?
247 Views
Last Modified: 2010-04-17
Hi all
Can anyone confirm at the below accsess lists are correct and tell me how to add them to a cisco router
would like a step by step
thanks davy


access-list 110 permit tcp any any eq www            (Port 80)
access-list 110 permit tcp any any eq pop3            (Port 110)
access-list 110 permit tcp any any eq smtp            (Port 25)
access-list 110 permit tcp any any eq ftp            (Port 21)
access-list 110 permit tcp any any eq ftp-data      (Port 20)
access-list 110 permit tcp any any eq domain      (Port 53)
access-list 110 permit udp any any eq domain      (Port 53)
access-list 110 permit tcp any any gt 1023            (Port 1023 og op efter)
access-list 110 permit icmp any any                  (Arbejder som ping)
0
Comment
Question by:davy999
  • 6
  • 4
10 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12673754
Hi davy999,
They look correct but it depends what you are trying to do.
Permitting traffic to port 20 is fairly pointless as it is only used as a source port for outbound active mode ftp connections.
It is also important that you have a 'access-list 110 permit tcp any any established' to permit back in replies.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12673763
> access-list 110 permit tcp any any gt 1023
Why do you wish to do this. You are opening a great big security hole.

To apply the access list you would enter something like:-

interface FastEthernet0                  
 ip access-group 110 in
0
 
LVL 6

Author Comment

by:davy999
ID: 12673855
hi grblades

tcp anyany1023 does not really matter the rest of the access list i would like, can you tell me how to wirte them in

thanks davy
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 36

Expert Comment

by:grblades
ID: 12673888
Basically you connect to the router via either a direct connection to the serial port, or via the network using ssh or telnet.
Then after you log in type 'enable' to go into priviledged mode. Then type 'conf t' and enter the configuration. When finished type 'end' to exit from config mode and type 'copy run start' to save the new configuration.

The exact commands you enter for the configuration will vary depending on your existing configuration and the model of the router as the names of the interfaces vary. If you log in and show your configuration using 'show run' and paste it here I will give you the exact commands you need to enter.
0
 
LVL 6

Author Comment

by:davy999
ID: 12673931
Current configuration : 750 bytes
!
! Last configuration change at 08:31:04 UTC Fri Mar 26 2004
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Sjaelland
!
enable secret 5 $1$J9sP$Se6IMqw/z47GN11CmxFjf1
!
ip subnet-zero
!
no ip domain lookup
!
 interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 speed auto
 no keepalive
!
interface Serial0
 ip address 198.0.10.1 255.255.255.0
 no keepalive
 clockrate 56000
!
interface Serial1
 ip address 200.0.10.2 255.255.255.0
 no keepalive
 clockrate 56000
!
router rip
 network 192.168.1.0
 network 198.0.10.0
 network 200.0.10.0
!
no ip classless
no ip http server
!
line con 0
line aux 0
line vty 0 4
 password class
 login
end


0
 
LVL 36

Expert Comment

by:grblades
ID: 12674062
What are you doing with this router?
You have a couple of serial interfaces configured and I assume you have remote sites at the other end and are using the RIP routing protocol.
Do you wish this access-list to control what the remote sites can access on your network and/or what your network is permitted to access on the remote site?

I'll assume you want to control what the remote sites are permitted to access.

<Login to the router>
enable
conf t
access-list 110 permit tcp any any established
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit icmp any any
interface FastEthernet0
 ip access-group 110 out
end
copy run start
exit

0
 
LVL 6

Author Comment

by:davy999
ID: 12674115
this is a test domain with 4 routers, router 1 is our main domain( router 2 is lan A) (router3 is lan B) and( router 4 is lan C )
it is lan a i want to secure with accsess lists
 

Can you please wxplain these to below thank you.
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
0
 
LVL 36

Expert Comment

by:grblades
ID: 12674184
'domain' is basically DNS. Therefore the first one is tcp DNS queries which are normally things like zone transfers etc... For normal lookups you dont need this but if you are running active directory between sites you will need it. You are not permitting any other windows file sharing between sites however.
The second one is normal DNS queries.
0
 
LVL 6

Author Comment

by:davy999
ID: 12674248
Thank you for your expertise and quick respons

Just one thought reguarding deny any any ,like telnet ect are these all blocked as default or do i have to deny any any

Thanks davy
0
 
LVL 36

Accepted Solution

by:
grblades earned 2000 total points
ID: 12674816
If you apply an access-list to an interface then by default anything not listed is denied. Adding a 'deny any any' to the list does have the benefit that you can  do a 'show access-list' and see the number of packets matching each entry of the access list.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question