Solved

access list

Posted on 2011-09-14
10
321 Views
Last Modified: 2012-05-12
Dear I have server(10.10.10.1) I just want this server access to SMTP and this ip 192.168.1.1 can access to this server by telnet

access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp host 198.6.1.3 eq domain
access-list 101 permit tcp host 192.168.1.1 eq tel  host 10.10.10.1

inter f 0/0
ip access-group 101 in

this that correct if not please correct for me
0
Comment
Question by:memo12345678
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36541117
Not quite right ...
If it's incoming telnet to 10.10.10.1, the "eq telnet" has to be on the receiving side, so

access-list 101 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet

Also, the second line is missing a parameter, most likely the "any" before the "host" keyword, allowing any inside host to do DNS lookups to the 198.6.1.3 host.

I assume you are aware of the fact that the access list has an implicit "deny any any" at the end, forbidding any ip transmissions that are not explicitly allowed ...
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541716
What is the ip address of your f0/0? Access-list in/out direction as well as source/destination in access-list depends on interface's ip address
0
 

Author Comment

by:memo12345678
ID: 36541886
inter f0/0  (inside)
10.10.10.2

inter f0/1 outside
192.168.1.2


tell me correct thing by example
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36541915
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain

inter f 0/0
ip access-group 101 in 

Open in new window


The line "access-list 101 permit tcp host 192.168.1.1 eq tel  host 10.10.10.1" would need to be added to the outside interface, so something like:

access-list 102 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 102 deny tcp any host 10.10.10.1 eq telnet
access-list 102 permit ip any any

interface fa0/1
ip access-group 102 in

Open in new window


Please note that this is in no way a complete and secure access list, just safeguarding the telnet port for that server.
But it should be sufficient to get an idea of what is necessary.

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541941
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain

Any access-list has an implicit deny all statement in the end, so in access-list 101 everything will be blocked except smtp and DNS



access-list 100 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 permit ip any any  

Access-list 100 needs to be applied to outside interface, only 192.168.1.1 would be able to telnet to 10.10.10.1
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541957
Well, forgot about return telnet traffic traffic

access-list 101 permit tcp host 10.10.10.1 eq 23 host 192.168.1.1
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36542018
good catch ... (packet inspection w/o stateful inspection sucks)
0
 

Author Comment

by:memo12345678
ID: 36553385
dear all ,

I want from interface f 0/0

do this access list
1 - permit smtp to server 10.10.10.1 and DNS
2- permit this host 192.168.1.1 access telnet to 10.10.10.1
3 deny any any .

how it be


0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 500 total points
ID: 36553582
ip access list extended OUTSIDE_IN
permit tcp any host 10.10.10.1 eq smtp
permit udp any eq 53 host 10.10.10.1    (would be better to limit to the DNS you inquire)
permit tcp host 192.168.1.1 host 10.10.10.1 eq 23
permit tcp any any established
permit tcp any any syn ack
deny ip any any (also there implicitly)

Open in new window

0
 

Author Closing Comment

by:memo12345678
ID: 36581951
thx
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 200
BGP Network restrictions 6 63
EIGRP STUB 19 112
Use multiple VLANs on the same interface on a Cisco 877 4 69
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question