Solved

access list

Posted on 2011-09-14
10
314 Views
Last Modified: 2012-05-12
Dear I have server(10.10.10.1) I just want this server access to SMTP and this ip 192.168.1.1 can access to this server by telnet

access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp host 198.6.1.3 eq domain
access-list 101 permit tcp host 192.168.1.1 eq tel  host 10.10.10.1

inter f 0/0
ip access-group 101 in

this that correct if not please correct for me
0
Comment
Question by:memo12345678
  • 4
  • 3
  • 3
10 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 36541117
Not quite right ...
If it's incoming telnet to 10.10.10.1, the "eq telnet" has to be on the receiving side, so

access-list 101 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet

Also, the second line is missing a parameter, most likely the "any" before the "host" keyword, allowing any inside host to do DNS lookups to the 198.6.1.3 host.

I assume you are aware of the fact that the access list has an implicit "deny any any" at the end, forbidding any ip transmissions that are not explicitly allowed ...
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541716
What is the ip address of your f0/0? Access-list in/out direction as well as source/destination in access-list depends on interface's ip address
0
 

Author Comment

by:memo12345678
ID: 36541886
inter f0/0  (inside)
10.10.10.2

inter f0/1 outside
192.168.1.2


tell me correct thing by example
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36541915
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain

inter f 0/0
ip access-group 101 in 

Open in new window


The line "access-list 101 permit tcp host 192.168.1.1 eq tel  host 10.10.10.1" would need to be added to the outside interface, so something like:

access-list 102 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 102 deny tcp any host 10.10.10.1 eq telnet
access-list 102 permit ip any any

interface fa0/1
ip access-group 102 in

Open in new window


Please note that this is in no way a complete and secure access list, just safeguarding the telnet port for that server.
But it should be sufficient to get an idea of what is necessary.

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541941
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain

Any access-list has an implicit deny all statement in the end, so in access-list 101 everything will be blocked except smtp and DNS



access-list 100 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 permit ip any any  

Access-list 100 needs to be applied to outside interface, only 192.168.1.1 would be able to telnet to 10.10.10.1
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541957
Well, forgot about return telnet traffic traffic

access-list 101 permit tcp host 10.10.10.1 eq 23 host 192.168.1.1
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36542018
good catch ... (packet inspection w/o stateful inspection sucks)
0
 

Author Comment

by:memo12345678
ID: 36553385
dear all ,

I want from interface f 0/0

do this access list
1 - permit smtp to server 10.10.10.1 and DNS
2- permit this host 192.168.1.1 access telnet to 10.10.10.1
3 deny any any .

how it be


0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 36553582
ip access list extended OUTSIDE_IN
permit tcp any host 10.10.10.1 eq smtp
permit udp any eq 53 host 10.10.10.1    (would be better to limit to the DNS you inquire)
permit tcp host 192.168.1.1 host 10.10.10.1 eq 23
permit tcp any any established
permit tcp any any syn ack
deny ip any any (also there implicitly)

Open in new window

0
 

Author Closing Comment

by:memo12345678
ID: 36581951
thx
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Home Optimum Online Internet timeout problems. DNS issue? 36 962
SSL RA VPN 7 76
Failover VDSL Modems 3 24
HSRP needed? 4 27
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now