?
Solved

access list

Posted on 2011-09-14
10
Medium Priority
?
348 Views
Last Modified: 2012-05-12
Dear I have server(10.10.10.1) I just want this server access to SMTP and this ip 192.168.1.1 can access to this server by telnet

access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp host 198.6.1.3 eq domain
access-list 101 permit tcp host 192.168.1.1 eq tel  host 10.10.10.1

inter f 0/0
ip access-group 101 in

this that correct if not please correct for me
0
Comment
Question by:memo12345678
  • 4
  • 3
  • 3
10 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36541117
Not quite right ...
If it's incoming telnet to 10.10.10.1, the "eq telnet" has to be on the receiving side, so

access-list 101 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet

Also, the second line is missing a parameter, most likely the "any" before the "host" keyword, allowing any inside host to do DNS lookups to the 198.6.1.3 host.

I assume you are aware of the fact that the access list has an implicit "deny any any" at the end, forbidding any ip transmissions that are not explicitly allowed ...
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541716
What is the ip address of your f0/0? Access-list in/out direction as well as source/destination in access-list depends on interface's ip address
0
 

Author Comment

by:memo12345678
ID: 36541886
inter f0/0  (inside)
10.10.10.2

inter f0/1 outside
192.168.1.2


tell me correct thing by example
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36541915
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain

inter f 0/0
ip access-group 101 in 

Open in new window


The line "access-list 101 permit tcp host 192.168.1.1 eq tel  host 10.10.10.1" would need to be added to the outside interface, so something like:

access-list 102 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 102 deny tcp any host 10.10.10.1 eq telnet
access-list 102 permit ip any any

interface fa0/1
ip access-group 102 in

Open in new window


Please note that this is in no way a complete and secure access list, just safeguarding the telnet port for that server.
But it should be sufficient to get an idea of what is necessary.

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541941
access-list 101 permit tcp host 10.10.10.1 any eq smtp
access-list 101 permit udp any host 198.6.1.3 eq domain

Any access-list has an implicit deny all statement in the end, so in access-list 101 everything will be blocked except smtp and DNS



access-list 100 permit tcp host 192.168.1.1 host 10.10.10.1 eq telnet
access-list 100 deny tcp any host 10.10.10.1 eq telnet
access-list 100 permit ip any any  

Access-list 100 needs to be applied to outside interface, only 192.168.1.1 would be able to telnet to 10.10.10.1
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36541957
Well, forgot about return telnet traffic traffic

access-list 101 permit tcp host 10.10.10.1 eq 23 host 192.168.1.1
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36542018
good catch ... (packet inspection w/o stateful inspection sucks)
0
 

Author Comment

by:memo12345678
ID: 36553385
dear all ,

I want from interface f 0/0

do this access list
1 - permit smtp to server 10.10.10.1 and DNS
2- permit this host 192.168.1.1 access telnet to 10.10.10.1
3 deny any any .

how it be


0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 2000 total points
ID: 36553582
ip access list extended OUTSIDE_IN
permit tcp any host 10.10.10.1 eq smtp
permit udp any eq 53 host 10.10.10.1    (would be better to limit to the DNS you inquire)
permit tcp host 192.168.1.1 host 10.10.10.1 eq 23
permit tcp any any established
permit tcp any any syn ack
deny ip any any (also there implicitly)

Open in new window

0
 

Author Closing Comment

by:memo12345678
ID: 36581951
thx
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question