10-14-2004 03:51 AM - edited 03-02-2019 07:15 PM
I have connected my company to te internet via cisco router using NAT and access list. I only want mail traffic and internet browsing traffic to pass through and denying all the other traffics. How should i implement it since i am not familiar with traffic types and port numbers very well
10-14-2004 05:33 AM
See my response to your post in another section of the NetProf forums:
10-14-2004 08:04 AM
I agree with konigl's response, it is really thorough and gives you great information to get you started!
I would like to add though that if you are running a newer IOS version.. 12.2 or 12.3 (I think it was realeased in 12.2) that you can actually "actively" change your access-lists without having to completely delete and recreate them (or tftp them). Use ip access-list extended [name or number]. This will allow you to add comments to the middle of your ACL. So..
Do a "sho ip access-lists" (or if you're already at the config t prompt.. "do sho ip access-lists"). This should give you an output such as:
Extended IP access list all-traffic-log
10 permit tcp any any gt 0 log
20 permit udp any any gt 0 log
30 permit ip any any log
So, if I wanted to deny tcp port 80 to all hosts because I really hate them.. I can do the following:
router(config)#ip access-list extended all-traffic-log
9 deny tcp any any eq 80
This will insert deny tcp any any eq 80 above permit tcp any any gt 0 log. A show ip access-lists now reads:
Extended IP access list all-traffic-log
9 deny tcp any any gt 80
10 permit tcp any any gt 0 log
20 permit udp any any gt 0 log
30 permit ip any any log
If you ended up using 1 - 9 and you still wanted to add another rule, you can resequence this by doing the following:
router(config)#ip access-list resequence [name or number] 10 10
This sets the ACL to no start at the number 10 and increment each statement by 10.
I really like this feature, but I do recommend that you remove the ACL from the interface first unless you're truly sure that you can apply this without disconnecting yourself.
Also, put your most accessed statements at the top. The longer your ACLs get, the longer it takes a packet to get through it. This isn't a big concern when your ACLs are small or if you have more power in your router than you reasonably use, but if your router is in need of an upgrade or you have a large amount of packets passing through the router, then you should do this for efficiency sake.
10-16-2004 12:32 AM
Great add to my post, Brian!
I've been doing it the "old-fashioned" way for years, out of habit. I'd forgotten that they fairly recently introduced the ability to edit them in place by line number.
I've got a couple of really long ACLs where this will come in handy.
Sometimes you CAN teach an old dog new tricks. ;)
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide