[c-nsp] ACL querry

Ziv Leyes zivl at gilat.net
Wed Dec 15 05:51:07 EST 2010 

In your case, fe0 is the outside world, the "untrusted" world, the acl 101 you applied in fe0 filters any packet that is coming from the outside world into your router, no matter where exactly it goes later.
The acl 1 applied in the line vty filters traffic that is trying to connect to the router (most probably telnet/ssh) no matter where they're coming from (fe0, fe1, etc)
If you want to telnet the router and you're coming from an external source (outside world) you'll have to be allowed both in acl 101 and acl 1.
To protect your servers, you can put it either in on fe0 or out in fe1, it gives you the same result, but in this case, you won't need to allow anything trying to connect to the router other than in acl 1 only.

Hope this makes sense to you
Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Edward avanti
Sent: Wednesday, December 15, 2010 11:57 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACL querry

Halo all,

I understood that  ACL on int's were transitting traffic and ACL on line was to the router?

I ask because I could not access router until I add my home IP on acl 101 (the inbound) Is this because the external interface fe0 has inbound rules applied?
For example, fe1 is to our network of servers I apply ingress rules on fe0 which the SP link, is this right why I denied?

Should I invert this all?, have no rules on fe0 and apply the network-ingress, as an outbound rule on fe1 instead?

Which is consider best practise?  Or is this correct but I somehow block myself to line


ACL conf data relevant to post,  all IP is changed for protect guilty :->


access-list 1 permit 1.1.1.0 0.0.1.255
line vty 0 4
 access-class 1 in



access-list 101 permit ip host 1.2.3.4 any access-list 101 permit ip host 15.6.7.8 any
access-list 101 deny   tcp any any eq 22
access-list 101 deny   tcp any any eq telnet
access-list 101 deny   tcp any any eq sunrpc
access-list 101 deny   udp any any eq sunrpc
access-list 101 deny   tcp any any range 135 139
access-list 101 deny   udp any any range 135 netbios-ss
access-list 101 deny   tcp any any eq 445
access-list 101 deny   udp any any eq tftp
access-list 101 deny   tcp any any eq 873
access-list 101 deny   tcp any any eq 2049
access-list 101 deny   tcp any any eq 3306
access-list 101 permit ip any any

interface FastEthernet0
 ip access-group 101 in



thanks you
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer.  Thank you!

******** This mail was sent via Mail-SeCure System.********



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

More information about the cisco-nsp mailing list