Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
203
Views
5
Helpful
1
Replies

Separating Networks

xweider
Level 1
Level 1

‎10-22-2003 08:25 AM - edited ‎03-02-2019 11:11 AM

I have a network that has the primary windows & netware network behind a PIX with a remote network behind a 2600. I want to add another windows network behind a different interface on the 2600 and don't want to allow the domains to mix traffic. I only want to allow ports 25 & 80 to go from the new network into the existing network behind the PIX and also only want to allow porst 25 & 80 to originate from the existing network and get to the new network.

What is the best way to do this?

Thanks

Labels:
0 Helpful
1 Reply 1

konigl
Level 7
Level 7

‎10-22-2003 10:09 AM

Extended access control lists in the 2600, applied to inbound traffic to the router on the interfaces in question, will do what you want to do.

Basic sequence of the access list commands you would use follows.

1. Permit traffic (http) from source IPs on one LAN to destination IPs on the other, or to the Internet. Examples:

access-list 100 permit tcp eq 80

access-list 100 permit tcp eq 80 established

or

access-list 100 permit tcp any eq 80

access-list 100 permit tcp eq 80 any established

2. Permit traffic (smtp) from source IPs on one LAN to destination IPs on the other, or to the Internet. Examples:

access-list 100 permit tcp eq 25

access-list 100 permit tcp eq 25 established

or

access-list 100 permit tcp any eq 25

access-list 100 permit tcp eq 25 any established

3. Deny all other traffic and log it. Example:

access-list 100 deny ip any any log

You will probably find that there are other supporting protocols that also need to be permitted before you apply the blanket "deny" statement, for example, DNS for URL name-to-IP-address resolution. (Otherwise, you have to know where you want to get to on the internet by IP address.) So, put something like this in front of the last "deny" command:

access-list 100 permit udp any eq 53

The logs will show you what you're blocking. You can then investigate and determine whether you need more "permits".

To apply the access-lists to specific interfaces, go into interface configuration mode and run an ip access-group" command. Example:

interface Ethernet0/0

ip address

ip access-group 100 in

Don't forget to save your configuration, too, when you're done.

Remember, on Cisco access-lists if you don't put a blanket "deny" at the end of the list, there is an implicit one put in for you. And access-list permits and denys are processed in the order in which they are listed. Once an access-list command applies to the traffic in question, the appropriate action is taken and no further processing of the access-list for that particular traffic is done. So if you're trying to block something specific, make sure you do that _before_ you permit everyone else to access it; otherwise, it'll get permitted first, and will never get denied.

That's access control lists in a nutshell. For more detailed info, browse around and search Cisco's web site, there's plenty there to keep you busy reading and learning for a long time.

Hope this helps.

Customers Also Viewed These Support Documents