topic Re: Port Based Access List in Network Security

Port Based Access List

imranraheel — Mon, 11 Mar 2019 12:27:36 GMT

I want to apply an access list on a port to allow a single ip to access internal computers on specific ports

Internal Host IP 192.168.1.5.2

External Host attached to specific Router port :173.0.0.1

Permissioned Ports 10111

Let me know how to achieve this

Re: Port Based Access List

chickman — Fri, 04 Apr 2008 20:00:49 GMT

access-list inbound extended permit tcp host 173.0.0.1 host 192.168.1.52 eq 10111

access-list inbound extended permit udp host 173.0.0.1 host 192.168.1.52 eq 10111

This is to apply the access control on the specific interface:

access-group inbound in interface outside

"Inbound" is the ACL you're working on for inbound traffic. Interface "outside" is the actual interface name assigned for the outside.

Re: Port Based Access List

imranraheel — Sat, 05 Apr 2008 22:19:50 GMT

Thanks Chickman

But what if i want to allow a list of ports do i have to make seperate access lists and what the command to allow that access list on port 37

Re: Port Based Access List

chickman — Sun, 06 Apr 2008 00:04:56 GMT

Very easy solution, create an "object-group service". It will look something like this:

object-group service Sample "Whatever you want to name it really"

Description "Whatever you want"

object-port eq 37

object-port eq 10111

object-port eq "What other port you want"

The access list will look something like this

access-list outbound remark "Whatever this is for"

access-list inbound extended permit tcp host 173.0.0.1 host 192.168.1.52 object-group service Sample

access-list inbound extended permit udp host 173.0.0.1 host 192.168.1.52 object-group service Sample

Also, I would suggest adding a remark statement. This would allow you to add a description to the ACL as well. You can place the remarks pretty much anywhere in your access-list.

I hope this is more along the lines of what you were looking for.

Re: Port Based Access List

imranraheel — Sun, 06 Apr 2008 11:24:13 GMT

ok Thanks well so the config will be like this

object group service XYZ

Description XYZ Ports

object-port eq 10111

object-port eq 10112

object-port eq 10113

object-port eq 10311

object-port eq 10313

access-list inbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ

access-list inbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.14 object-group service XYZ

access-list outbound extended deny any any object-group service XYZ

access-list outbound extended permit any any

object group service WEB

Description WEB

object-port eq 443

access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB

access-list outbound extended permit udp host 173.0.0.1 host xxx.xxx.xxx.21 object-group service WEB

access-list outbound extended deny any any object-group service WEB

access-list outbound extended permit any any

object group service Test

Description TEST Server Ports

object-port eq 12700

access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST

access-list outbound extended permit UDP host 173.0.0.1 host xxx.xxx.xxx.22 object-group service TEST

access-list outbound extended deny any any object-group service TEST

access-list outbound extended permit any any

Now let me know 2 things are these configs going to work on Cisco 3550 and how can i apply all these on a single physical port

Thanks for your help

Re: Port Based Access List

chickman — Mon, 07 Apr 2008 03:09:33 GMT

Ok, I would suggest object group nesting for something like this. If you essentially need to separate these ports that is. Should look something like this:

object group service OUTSIDENAME

Description OUTSIDE_ACCESS_IN

group-object XYZ

group-object WEB

group-object Test

This way you'll only require 4 lines in your ACL as opposed to 12.

access-list outbound extended permit tcp host 173.0.0.1 host xxx.xxx.xxx.22 object-group service OUTSIDENAME

access-list outbound extended permit UDP host 173.0.0.1 host xxx.xxx.xxx.22 object-group service OUTSIDENAME

access-list outbound extended deny any any object-group service OUTSIDENAME

access-list outbound extended permit any any

The documentation for this can be found here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

I've not configured a 3550 for this myself, but know it does do layer3 routing. As such, it is capable of doing ACL's and other features. It will be pretty limited though.

You'll first need to create your ACL in the same fashion you would on a firewall.

Example:

Switch(config)# ip access-list extended outbound

Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet

Switch(config-ext-nacl)# deny tcp any any

Switch(config-ext-nacl)# permit icmp any any

Switch(config-ext-nacl)# deny udp any 171.69.0.0 0.0.255.255 lt 1024

Switch(config-ext-nacl)# deny ip any any log ** Logging this is totally up to you.

Switch(config-ext-nacl)# exit

Now you'll need to apply it to the interface you are wanting to restrict access from. Remember this interface will require an IP address.

Sample:

Switch(config)# interface gigabitethernet0/3

Switch(config-if)# ip access-group outbound in

You can find more on this at the following: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configuration/guide/swacl.html#

I hope this helped a little.

Re: Port Based Access List

chickman — Mon, 07 Apr 2008 03:26:47 GMT

Just a quick question, is this traffic inbound or outbound to the outside interface.

The reason I ask is because I'm reviewing your comments and I see you've put "outbound" on the ACL's. Just make sure you remember what interface and what direction you're placing the ACL for effectiveness.

Re: Port Based Access List

imranraheel — Mon, 07 Apr 2008 17:26:19 GMT

Let me know about the following configs

access-list 100 permit tcp host 173.0.0.1(client IP) host xxx.xxx.xxx.14 range 10111 101113

access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10311

access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 10313

access-list 100 permit tcp host 173.0.0.1 host xxx.xxx.xxx.14 eq 443

access-list 100 permit tcp host 173.0.0.1

host xxx.xxx.xxx.14 eq 12700

access-list 100 deny ip any any

interface F0/37

ip access-group 100 in

Re: Port Based Access List

chickman — Mon, 07 Apr 2008 18:58:05 GMT

The config for the switch looks good. I would drop off the "deny ip any any" as I believe its implicit.

All in all it looks good!