[geeks] cisco router access lists
James
james at jdfogg.com
Mon Dec 16 13:31:31 CST 2002
Who wrote this? It appears to be a little overkill and makes some novice
mistakes like the deny tcp any any (which is implicit anyways and needs no
mention). Also, applying filterin and filterout to both s0/0 AND s0/0.1 (a
sub interface, probably because you are using frame relay).
Basically, its a reflexive list that will require other config statements
called ipfilter and icmpfilter (arbitrary names).
Can you email me the complete config?
At 05:35 PM 12/13/2002 -0600, you wrote:
>Would someone mind helping me out and taking a look at the script
>below? It's supposed to setup access lists inbound and outbound to allow
>only authorized connections - but for some reason it denies connections
>everywhere (or perhaps let them out, but not back in?).
>
>This has got me totally stumped, and it's not like I've never done this
>before either, so I'm incredibly frustrated right now.
>
>begin router script
>-------------------
>! erase existing outbound filters (if any)
>no ip access-list extended filterout
>!
>ip access-list extended filterout
>!
>! permit all outbound traffic for now
>permit ip any any reflect ipfilter
>permit icmp any any reflect icmpfilter
>!
>! exit filterout access-list config and go back to global config
>exit
>!
>!erase existing inbound filters (if any)
>no ip access-list extended filterin
>!
>ip access-list extended filterin
>!
>! statefule examination
>evaluate ipfilter
>evaluate icmpfilter
>!
>! http rules
>permit tcp any host 65.222.52.2 eq 80
>permit tcp any host 65.222.52.4 eq 80
>permit tcp any host 65.222.52.5 eq 80
>permit tcp any host 65.222.52.8 eq 80
>permit tcp any host 65.222.52.10 eq 80
>permit tcp any host 65.222.52.100 eq 80
>permit tcp any host 65.222.52.110 eq 80
>!
>! https rules
>permit tcp any host 65.222.52.4 eq 443
>permit tcp any host 65.222.52.5 eq 443
>permit tcp any host 65.222.52.10 eq 443
>permit tcp any host 65.222.52.100 eq 443
>permit tcp any host 65.222.52.110 eq 443
>!
>! ftp rules
>permit tcp any host 65.222.52.2 eq 21
>permit tcp any host 65.222.52.3 eq 21
>permit tcp any host 65.222.52.4 eq 21
>permit tcp any host 65.222.52.6 eq 21
>permit tcp any host 65.222.52.9 eq 21
>permit tcp any host 65.222.52.10 eq 21
>permit tcp any host 65.222.52.100 eq 21
>permit tcp any host 65.222.52.110 eq 21
>!
>! smtp rules
>permit tcp any host 65.222.52.2 eq 25
>permit tcp any host 65.222.52.3 eq 25
>permit tcp any host 65.222.52.6 eq 25
>permit tcp any host 65.222.52.9 eq 25
>permit tcp any host 65.222.52.10 eq 25
>permit tcp any host 65.222.52.100 eq 25
>permit tcp any host 65.222.52.110 eq 25
>!
>! dns rules
>permit tcp any host 65.222.52.2 eq 53
>permit udp any host 65.222.52.2 eq 53
>permit tcp any host 65.222.52.3 eq 53
>permit udp any host 65.222.52.3 eq 53
>permit tcp any host 65.222.52.8 eq 53
>permit udp any host 65.222.52.8 eq 53
>!
>! ssh rules
>permit tcp any host 65.222.52.110 eq 22
>permit udp any host 65.222.52.110 eq 22
>permit tcp any host 65.222.52.100 eq 22
>permit udp any host 65.222.52.100 eq 22
>permit tcp host 63.87.36.74 any eq 22
>permit udp host 63.87.36.74 any eq 22
>!
>! imap rules
>permit tcp host 63.87.36.74 host 65.222.52.100 eq 143
>!
>! proxy rules
>permit tcp host 63.87.36.74 host 65.222.52.2 eq 81
>permit tcp host 63.87.36.74 host 65.222.52.3 eq 81
>!
>! ntp rules
>permit tcp any host 65.222.52.2 eq 37
>!
>!
>! vpn rule (testing)
>permit ip any host 65.222.52.253
>permit tcp any host 65.222.52.253
>permit udp any host 65.222.52.253
>!
>! cleanup rule
>deny ip any any
>!
>!
>!return to global config
>exit
>!
>! configure the interfaces
>interface Serial0/0
>ip access-group filterin in
>ip access-group filterout out
>exit
>interface serial0/1.1
>ip access-group filterin in
>ip access-group filterout out
>exit
>!
>exit
>show running
>
>
>
>
>--
>Kurt
>kurt at k-huhn.com
>_______________________________________________
>GEEKS: http://www.sunhelp.org/mailman/listinfo/geeks
More information about the geeks
mailing list