Activity Summary
- 6777 days inactive
- 6777 days old
- pacnog@pacnog.org
- 1 participants
- 0 comments
j
: Next unread message k
: Previous unread message j a
: Jump to all threads
j l
: Jump to MailingList overview
Sarven wrote:
Hi Jon,
Can you also provide the cisco cmd(s) that you used to apply this access-list. Secondly, is the IP www.xxx.yyy.2 the same as the IP of the interface, where the access-list is has been applied?
I think it does matter whether the access-list is applied on the incoming or outgoing traffic.
Sarven,
The cmd(s) are;
router#conf t router(config)#
I then just paste in;
access-list 102 permit ip any host www.xxx.yyy.1 access-list 102 permit ip any host www.xxx.yyy.2 !router access-list 102 deny tcp any host www.xxx.yyy.66 eq 25 access-list 102 permit ip any host www.xxx.yyy.66 access-list 102 permit ip any host www.xxx.yyy.70 access-list 102 permit ip any host www.xxx.yyy.71 access-list 102 permit ip any www.xxx.zzz.0 0.0.0.63 access-list 102 deny tcp any any eq 135 access-list 102 deny tcp any any eq 139 access-list 102 deny tcp any any eq 161 access-list 102 deny tcp any any eq 162 access-list 102 deny tcp any any eq 445 access-list 102 deny tcp any any eq telnet access-list 102 deny tcp any any eq 1025 access-list 102 deny tcp any any eq 1434 access-list 102 deny tcp any any eq 1433 access-list 102 deny tcp any any eq 2745 access-list 102 deny udp any any eq 1433 access-list 102 deny udp any any eq 1434 access-list 102 deny ip any any log
router(config)#int s0 router(config-if)#ip access-group 102 in router(config-if)#end router#wr mem
The ACL is on the serial interface inbound and www.xxx.yyy.2 is the eth0 address of the router.
As Scott has pointed out, this is probably ass backwards and I'll modify it over the weekend to deny IP's/TCP UDP ports for what I don't need and then permit ip any any at the end so trafic minus the ports/IP's I have denied is allowed in.
Rgds.,
Jon