?
Solved

allow ip range and port in cisco acl

Posted on 2011-05-03
15
Medium Priority
?
703 Views
Last Modified: 2012-05-11
Hi all,
running a cisco 2811 with acl configured. I'm trying to allow 4 hosts over one port through the router without any success. Here are the commands I'm using:
permit tcp 10.28.200.10 any eq 35000
permit tcp 10.28.200.11 any eq 35000
permit tcp 10.28.200.12 any eq 35000
permit tcp 10.28.200.13 any eq 35000

No luck with these commands. I know it works after completely removing the ACL list. Am I missing anything?
thanks so much in advance...
0
Comment
Question by:MikeG299
  • 8
  • 4
  • 2
  • +1
15 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 35543382
Correct syntax:

permit tcp host 10.28.200.10 any eq 35000
permit tcp host 10.28.200.11 any eq 35000
permit tcp host 10.28.200.12 any eq 35000
permit tcp host 10.28.200.13 any eq 35000



BUT....

What are you tryingt to accomplish? Are you trying to allow these host to connect to any destination's port 35000? Sounds strange to me.
0
 

Author Comment

by:MikeG299
ID: 35554267
Hi thanks for the response.

To answer you question; no, I only need these hosts to talk to a single host inside my network. i.e. maybe like this: permit tcp host 10.28.200.10 any eq 35000 host 192.168.1.2?

Are we on the same page in regards to what you are trying to get at? Let me know if not. Again, thanks so much for the response...
0
 
LVL 26

Expert Comment

by:Soulja
ID: 35556403
Okay. Does port 35000 reside on the inside host. What and where are these 4 hosts?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:MikeG299
ID: 35558763
35000 resides inside my network. I'm allowing these 4 'outside' hosts access to a host inside my network with port 35000 open and listening.

My goal is to only allow outside hosts access to specific hosts and ports.
0
 
LVL 6

Expert Comment

by:Wissam
ID: 35613931
if you can aggregate the addresses you would be able to do this, for example
Host 192.168.0.1 to 192.168.0.15 can be referred as 192.168.0.0 255.255.255.240, of course in case one ip in the middle should not be allowed you can deny it in the beggining and then allow the rest
hope this helps
0
 
LVL 15

Expert Comment

by:greg ward
ID: 35649409
Is the acccess-list applied incoming or outgoing?
Is port 35000 on the remote pc?
have you tried
permit tcp host 10.28.200.10 any eq 35000
permit tcp host 10.28.200.11 any eq 35000
permit tcp host 10.28.200.12 any eq 35000
permit tcp host 10.28.200.13 any eq 35000
permit/deny ip any any log
then you can look at the log and see what it lets through/blocks

Greg
0
 

Author Comment

by:MikeG299
ID: 35688992
Greg, the ACL is for devices from outside (10.
0
 

Author Comment

by:MikeG299
ID: 35689054
Greg, the ACL is to allow outside devices (10.28.200.xx etc...) to hit a single host on port 35000 within internal network (192.168.1.2). I have tried the commands you suggested with no success. Any help would be great. Thanks.
0
 
LVL 15

Expert Comment

by:greg ward
ID: 35689215
so how is the access list applied?
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group Lan in
...

ip access-list extended Lan
permit tcp host 10.28.200.10 any eq 35000
permit tcp host 10.28.200.11 any eq 35000
permit tcp host 10.28.200.12 any eq 35000
permit tcp host 10.28.200.13 any eq 35000
permit ip any any log


then post the output of show log

Greg
0
 

Author Comment

by:MikeG299
ID: 35689272
Greg, this is a 56k frame relay conection. I don't have 'IP access group LAN in' as a command under Fe0/0 interface. should I? thanks so much for your help. I can post my config if you like...
0
 
LVL 15

Expert Comment

by:greg ward
ID: 35689432
Please post your config.

Please remove passwords and public ip addresses from config before you paste.


Greg
0
 

Author Comment

by:MikeG299
ID: 35689655
Greg, config posted below with ACL taken out. ACL would have looked like this but didn't work:
ip access-list extended security
permit tcp host 10.28.200.10 any eq 35000
permit tcp host 10.28.200.11 any eq 35000
permit tcp host 10.28.200.12 any eq 35000
permit tcp host 10.28.200.13 any eq 35000

thanks...

hostname#show run
Building configuration...

Current configuration : 2996 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
enable password
!
no aaa new-model
!
!
ip cef
!
!
multilink bundle-name authenticated
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
!
interface Serial0/0/0.777 point-to-point
 ip address x.x.x.x x.x.x.x
 ip access-group security in
 snmp trap link-status
 frame-relay interface-dlci 777
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
ip http server
!
!
!
!
control-plane
!
^C
!
line con 0
 password
 login
line aux 0
line vty 0 4
 password
 login
!
scheduler allocate 20000 1000
!
end
0
 
LVL 15

Accepted Solution

by:
greg ward earned 1000 total points
ID: 35689873
ip access-list extended security
permit tcp host 10.28.200.10 host 192.168.1.2 eq 35000
permit tcp host 10.28.200.11 host 192.168.1.2 eq 35000
permit tcp host 10.28.200.12 host 192.168.1.2 eq 35000
permit tcp host 10.28.200.13 host 192.168.1.2 eq 35000
permit ip any any log < would allow all traffic for debugging

once you have this configured you need to see if it works.
I am a bit worried this is your internet conenction and you are blocking most traffic web/dns...

Greg
0
 

Author Comment

by:MikeG299
ID: 35689936
Hi Greg,
Thanks. This is not an internet connection but rather on a private network. web/dns are not needed. I will try in two hours and report back. Thanks.
0
 

Author Closing Comment

by:MikeG299
ID: 35789236
Greg, thanks so much for you help. Worked like a charm.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question