memo12345678
asked on
access list
Dear I have server(10.10.10.1) I just want this server access to SMTP and this ip 192.168.1.1 can access to this server by telnet
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp host 198.6.1.3 eq domain
access-list 101 permit tcp host 192.168.1.1 eq tel host 10.10.10.1
inter f 0/0
ip access-group 101 in
this that correct if not please correct for me
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp host 198.6.1.3 eq domain
access-list 101 permit tcp host 192.168.1.1 eq tel host 10.10.10.1
inter f 0/0
ip access-group 101 in
this that correct if not please correct for me
What is the ip address of your f0/0? Access-list in/out direction as well as source/destination in access-list depends on interface's ip address
ASKER
inter f0/0 (inside)
10.10.10.2
inter f0/1 outside
192.168.1.2
tell me correct thing by example
10.10.10.2
inter f0/1 outside
192.168.1.2
tell me correct thing by example
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain
inter f 0/0
ip access-group 101 in
The line "access-list 101 permit tcp host 192.168.1.1 eq tel host 10.10.10.1" would need to be added to the outside interface, so something like:
access-list 102 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 102 deny tcp any host 10.10.10.1 eq telnet
access-list 102 permit ip any any
interface fa0/1
ip access-group 102 in
Please note that this is in no way a complete and secure access list, just safeguarding the telnet port for that server.
But it should be sufficient to get an idea of what is necessary.
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain
Any access-list has an implicit deny all statement in the end, so in access-list 101 everything will be blocked except smtp and DNS
access-list 100 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 permit ip any any
Access-list 100 needs to be applied to outside interface, only 192.168.1.1 would be able to telnet to 10.10.10.1
access-list 101 permit udp any host 198.6.1.3 eq domain
Any access-list has an implicit deny all statement in the end, so in access-list 101 everything will be blocked except smtp and DNS
access-list 100 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 permit ip any any
Access-list 100 needs to be applied to outside interface, only 192.168.1.1 would be able to telnet to 10.10.10.1
Well, forgot about return telnet traffic traffic
access-list 101 permit tcp host 10.10.10.1 eq 23 host 192.168.1.1
access-list 101 permit tcp host 10.10.10.1 eq 23 host 192.168.1.1
good catch ... (packet inspection w/o stateful inspection sucks)
ASKER
dear all ,
I want from interface f 0/0
do this access list
1 - permit smtp to server 10.10.10.1 and DNS
2- permit this host 192.168.1.1 access telnet to 10.10.10.1
3 deny any any .
how it be
I want from interface f 0/0
do this access list
1 - permit smtp to server 10.10.10.1 and DNS
2- permit this host 192.168.1.1 access telnet to 10.10.10.1
3 deny any any .
how it be
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thx
If it's incoming telnet to 10.10.10.1, the "eq telnet" has to be on the receiving side, so
access-list 101 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
Also, the second line is missing a parameter, most likely the "any" before the "host" keyword, allowing any inside host to do DNS lookups to the 198.6.1.3 host.
I assume you are aware of the fact that the access list has an implicit "deny any any" at the end, forbidding any ip transmissions that are not explicitly allowed ...