Access lists

Hi all
Can anyone confirm at the below accsess lists are correct and tell me how to add them to a cisco router
would like a step by step
thanks davy


access-list 110 permit tcp any any eq www            (Port 80)
access-list 110 permit tcp any any eq pop3            (Port 110)
access-list 110 permit tcp any any eq smtp            (Port 25)
access-list 110 permit tcp any any eq ftp            (Port 21)
access-list 110 permit tcp any any eq ftp-data      (Port 20)
access-list 110 permit tcp any any eq domain      (Port 53)
access-list 110 permit udp any any eq domain      (Port 53)
access-list 110 permit tcp any any gt 1023            (Port 1023 og op efter)
access-list 110 permit icmp any any                  (Arbejder som ping)
LVL 6
davy999Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi davy999,
They look correct but it depends what you are trying to do.
Permitting traffic to port 20 is fairly pointless as it is only used as a source port for outbound active mode ftp connections.
It is also important that you have a 'access-list 110 permit tcp any any established' to permit back in replies.
0
grbladesCommented:
> access-list 110 permit tcp any any gt 1023
Why do you wish to do this. You are opening a great big security hole.

To apply the access list you would enter something like:-

interface FastEthernet0                  
 ip access-group 110 in
0
davy999Author Commented:
hi grblades

tcp anyany1023 does not really matter the rest of the access list i would like, can you tell me how to wirte them in

thanks davy
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

grbladesCommented:
Basically you connect to the router via either a direct connection to the serial port, or via the network using ssh or telnet.
Then after you log in type 'enable' to go into priviledged mode. Then type 'conf t' and enter the configuration. When finished type 'end' to exit from config mode and type 'copy run start' to save the new configuration.

The exact commands you enter for the configuration will vary depending on your existing configuration and the model of the router as the names of the interfaces vary. If you log in and show your configuration using 'show run' and paste it here I will give you the exact commands you need to enter.
0
davy999Author Commented:
Current configuration : 750 bytes
!
! Last configuration change at 08:31:04 UTC Fri Mar 26 2004
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Sjaelland
!
enable secret 5 $1$J9sP$Se6IMqw/z47GN11CmxFjf1
!
ip subnet-zero
!
no ip domain lookup
!
 interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 speed auto
 no keepalive
!
interface Serial0
 ip address 198.0.10.1 255.255.255.0
 no keepalive
 clockrate 56000
!
interface Serial1
 ip address 200.0.10.2 255.255.255.0
 no keepalive
 clockrate 56000
!
router rip
 network 192.168.1.0
 network 198.0.10.0
 network 200.0.10.0
!
no ip classless
no ip http server
!
line con 0
line aux 0
line vty 0 4
 password class
 login
end


0
grbladesCommented:
What are you doing with this router?
You have a couple of serial interfaces configured and I assume you have remote sites at the other end and are using the RIP routing protocol.
Do you wish this access-list to control what the remote sites can access on your network and/or what your network is permitted to access on the remote site?

I'll assume you want to control what the remote sites are permitted to access.

<Login to the router>
enable
conf t
access-list 110 permit tcp any any established
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit icmp any any
interface FastEthernet0
 ip access-group 110 out
end
copy run start
exit

0
davy999Author Commented:
this is a test domain with 4 routers, router 1 is our main domain( router 2 is lan A) (router3 is lan B) and( router 4 is lan C )
it is lan a i want to secure with accsess lists
 

Can you please wxplain these to below thank you.
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
0
grbladesCommented:
'domain' is basically DNS. Therefore the first one is tcp DNS queries which are normally things like zone transfers etc... For normal lookups you dont need this but if you are running active directory between sites you will need it. You are not permitting any other windows file sharing between sites however.
The second one is normal DNS queries.
0
davy999Author Commented:
Thank you for your expertise and quick respons

Just one thought reguarding deny any any ,like telnet ect are these all blocked as default or do i have to deny any any

Thanks davy
0
grbladesCommented:
If you apply an access-list to an interface then by default anything not listed is denied. Adding a 'deny any any' to the list does have the benefit that you can  do a 'show access-list' and see the number of packets matching each entry of the access list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.