[c-nsp] ACL making me insane
Skeeve Stevens
skeeve at skeeve.org
Tue Jun 3 13:23:05 EDT 2008
Hey all,
Got an issue with the below ACL. The inbound to the PROTECTEDSERVER is
working ok.. port 80 is allowed, RDP from one trusted machine.
But. on the outbound, with the deny ip any any active (notice the !), the
inbound wont work, nor can the server get out.
What am I missing?
Basically what I want to do is deny all, allow only certain things..
.Skeeve
!
no ip access-list extended FWCUST_XXX_IN
ip access-list extended FWCUST_XXX_IN
remark Inbound Firewall rules for XXX Services
permit tcp any host PROTECTEDSERVER established
permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
permit tcp any host PROTECTEDSERVER eq 80
permit icmp any any
deny ip any any
!
no ip access-list extended FWCUST_XXX_OUT
ip access-list extended FWCUST_XXX_OUT
remark Outbound Firewall rules for XXX Services
permit tcp any any established
permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
permit icmp any any
permit tcp host PROTECTEDSERVER any eq domain
permit udp host PROTECTEDSERVER any eq domain
permit tcp host PROTECTEDSERVER any eq 80
permit tcp host PROTECTEDSERVER any eq 21
permit udp host PROTECTEDSERVER any eq 20
! deny ip any any
!
!
!
interface GigabitEthernet0/2.402
ip access-group FWCUST_XXX_OUT in
ip access-group FWCUST_XXX_IN out
!
end
!
--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve
eintellego - skeeve at eintellego.net - www.eintellego.net
--
I'm a groove licked love child king of the verse
Si vis pacem, para bellum
More information about the cisco-nsp
mailing list