• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1214
  • Last Modified:

Limit the Cisco's outbound traffic to one IP & port number.

i have added a Cisco 1120B Wireless Access Point on my existing Network.

i want to limit the Cisco's outbound traffic to one IP & port number as i only need to allow/pass 5250 Terminal emulation services.

How do i configure this to best accomplish my goal.
0
kbbcnet
Asked:
kbbcnet
  • 4
1 Solution
 
PennGwynCommented:
The 1100-series access points run IOS, and so standard access list commands apply.  You may have to go to the command-line interface to set them easily.

0
 
kbbcnetAuthor Commented:
PennGwyn, thanks for your repsonse.

*Do you have a configuration example to limit all out-bound traffic out of the Cisco 1100 ethernet port?

The Cisco connects to a network switch via a wired ethernet cable.
Allow only terminal emulation traffic out via the wired port to the AS400 & ok to allow any traffic in-bound to the Cisco thru the wired ethernet port.

Network B: 10.10.10.0/24;
Default Gateway: IP:10.10.10.1
Switch IP:10.10.10.11
*Cisco IP:10.10.10.253/24

Network A: 10.20.0.0/16;
*AS400 IP:10.20.1.245:23 [10.20.1.245 Port 23 terminal emulation]

Site-to-site VPN Firewall connects Network A & B;
0
 
kbbcnetAuthor Commented:
The Cisco 1120B is already deployed & working;
Now, i would like to apply my access list. How do the following look?
Apply lists to which interfaces & in or out? [i am not clear on "in" versus "in & out"?]
??? What do the three statements at the end of the config mean???
--------------------
access-list 100 permit tcp any any established?
access-list 100 permit tcp 10.10.10.170 255.255.255.255 10.10.1.245 0.0.0.0 eq 23
   or/access-list 100 permit tcp Any 10.10.1.245 0.0.0.0 eq 23?
   or/access-list 100 permit tcp host eq telnet?

access-list 100 deny ip Any 10.10.1.245 0.0.0.0
access-list 100 deny ip any any

---------------------
interface Dot11Radio0
 no ip address
 no ip route-cache
 
 ip access-group 100 in

interface FastEthernet0
 no ip address
 no ip route-cache

  ip access-group xxx out ?
-------------------------------
interface BVI1
 ip address 172.21.6.9 255.255.255.0
 no ip route-cache
!
 ip default-gateway 172.21.6.1
 ip http server
 no ip http secure-server
 ip radius source-interface BVI1???
 access-list 111 permit tcp any any neq telnet???
 bridge 1 route ip???
 End
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
kbbcnetAuthor Commented:
Depnding on where the access-lists are applied, i may need to allow DNS & ICMP traffic, correct???

DNS:
access-list xxx permit udp host 10.10.10.16 eq domain any gt 1023
access-list xxx permit udp host 10.20.1.2 eq domain any gt 1023

[courtesy O'Reilly]
! allow pings into the network
    access-list 110 permit icmp any any echo
    ! allow ping responses
    access-list 110 permit icmp any any echo-reply
    ! allow ICMP source-quench
    access-list 110 permit icmp any any source-quench
    ! allow path MTU discovery
    access-list 110 permit icmp any any packet-too-big
    ! allow time-exceeded, which is useful for traceroute
    access-list 110 permit icmp any any time-exceeded
    ! deny all other ICMP packets
    access-list 110 deny icmp any any
0
 
kbbcnetAuthor Commented:
Although PennGwyn's comment was correct, it was somewhat general --
i was looking for some good configuration examples to save me research time and Trial & Error.

i did find several good sources and the following met my request precisely!
*Cisco/Configuring IP Access Lists/Document ID: 23602
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#acl

Moderator please award points - if & as you see fit.  
EE is a great resource & i appreciate you experts much!

PLEASE NOTE:
i intend to have this question CLOSED or DELETED.
0
 
PashaModCommented:
Closed, 500 points refunded.
PashaMod
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now