Access-list block incoming traffic except 1 server

I want to create a access-list that block all incoming traffic from the outside to the inside. Only 1 server on port 5060 and a SSH connection to the router are exceptions. Is this correct?

access-list 106 permit udp host eq 5060 any
access-list 106 permit tcp any 443 any log
access-list106 deny ip any any

access-list 23 permit
access-list 23 permit

int dialer1
ip access-group 106 in

line vty 0 4
ip access-class 23 in
Emiel ZwartEngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Is this server on the outside or inside?

What's the permit tcp 443 for?
AkinsdNetwork AdministratorCommented:
If the int dialer1 is your outside facing interface, then yes.
If Int dialer1 connects to a switch that your server connects to, then you should use the ip access-group 106 out

A topology diagram will help determine the correct application of the ACLs
Emiel ZwartEngineerAuthor Commented:
The server is from the outside. And the permit tcp 443 is so that I can connect with wiht SSL to the router. Or isn't that necessary?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Don JohnstonInstructorCommented:
You said that you wanted to be able to SSH to the router.  SSH used TCP port 22.

So assuming that you mean SSH, you don't need the permit TCP port 443.  You also don't need the deny any any as that's there by default.

One thing that I would do is add entries on ACL 106 to allow SSH to the router and not do it on the VTY lines since you need to allow it on the entry ACL anyway.


access-list 106 permit udp host eq 5060 any
access-list 106 permit tcp any <or IP of the router> eq 22

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Emiel ZwartEngineerAuthor Commented:
So if I have a access-list on the vty lines I also must give permission on the access-list that resides on the dialer interface? In other words, the access-class on the vty lines do not pass the access-list (106) on the incoming dialer interface?
Don JohnstonInstructorCommented:
Correct.  In order to get to the VTY lines, the traffic has to get inside the router first.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.