We help IT Professionals succeed at work.

Access-list block incoming traffic except 1 server

Emiel Zwart
Emiel Zwart asked
on
I want to create a access-list that block all incoming traffic from the outside to the inside. Only 1 server 178.13.4.8 on port 5060 and a SSH connection to the router are exceptions. Is this correct?

access-list 106 permit udp host 178.13.4.8 eq 5060 any
access-list 106 permit tcp any 443 any log
access-list106 deny ip any any

access-list 23 permit 48.44.145.130
access-list 23 permit 48.44.145.131


int dialer1
ip access-group 106 in


line vty 0 4
ip access-class 23 in
Comment
Watch Question

Don JohnstonInstructor
Top Expert 2015

Commented:
Is this 178.13.4.8 server on the outside or inside?

What's the permit tcp 443 for?
AkinsdNetwork Administrator

Commented:
If the int dialer1 is your outside facing interface, then yes.
If Int dialer1 connects to a switch that your server connects to, then you should use the ip access-group 106 out

A topology diagram will help determine the correct application of the ACLs
Emiel ZwartEngineer

Author

Commented:
The server 178.13.4.8 is from the outside. And the permit tcp 443 is so that I can connect with wiht SSL to the router. Or isn't that necessary?
Instructor
Top Expert 2015
Commented:
You said that you wanted to be able to SSH to the router.  SSH used TCP port 22.

So assuming that you mean SSH, you don't need the permit TCP port 443.  You also don't need the deny any any as that's there by default.

One thing that I would do is add entries on ACL 106 to allow SSH to the router and not do it on the VTY lines since you need to allow it on the entry ACL anyway.

So:

access-list 106 permit udp host 178.13.4.8 eq 5060 any
access-list 106 permit tcp 48.44.145.130 0.0.0.1 any <or IP of the router> eq 22
Emiel ZwartEngineer

Author

Commented:
So if I have a access-list on the vty lines I also must give permission on the access-list that resides on the dialer interface? In other words, the access-class on the vty lines do not pass the access-list (106) on the incoming dialer interface?
Don JohnstonInstructor
Top Expert 2015

Commented:
Correct.  In order to get to the VTY lines, the traffic has to get inside the router first.