04-29-2003 08:09 AM - edited 02-20-2020 09:21 PM
I want to grant an outside network access to a particular port on an IP address on my network. I entered the line below on my ACL yesterday then went home to see if my IP address was allowed. It was. I was expecting to be denied. I'm back to square one. The 1st IP address is the remote network. The 2nd one is my network's IP address. Any ideas? (The IP addresses below are not actual.)
access-list 125 permit tcp 111.111.111.111 0.0.0.0 112.112.112.112 0.0.0.0 eq 3005
Thanks!!
04-30-2003 12:29 AM
Hi Wayne,
Pls correct me if I've read your post incorrectly, you say you want to grant access to the inside interface from a remote network but then you imply that you wanted to see this as denied?
1. Your ACL looks okay - but which interface have configured it to, inside/outside?
2. If want to give the remote IP access only to the inside IP/port and if you have NAT/PAT applied then you'll require a static translation on your pix (I presume you are using a pix or are you doing this on router?)
> on pix > static (inside,outside) tcp 111.111.111.111 3005 112.112.112.112 3005 netmask 255.255.255.255 0 0
3. Now create ACL for the outside interface i.e.
> access-list_outside permit tcp host 111.111.111.111 host (your outside interface IP) eq 3005
4. Make sure you also clear xlate and write to memory.
Hope this helps -
04-30-2003 04:46 AM
Thank You for your reply. I did actually fail to mention that this change is being made on a Cisco 1600R router and not a PIX. I tried to access the resource on that TCP/IP address and port last night and I was able to access it. The desired result is to be denied access unless I have the specific IP address in the entry. This is on the Serial sub interface.
04-30-2003 05:16 AM
Hi Wayne,
Okay your using a c1600 so with this in mind here is a fine document that will (hopefully) sort out your problem, let me know how get on.
http://www.cisco.com/warp/public/707/confaccesslists.html#
Hope this helps -
04-30-2003 06:17 AM
Jay,
Thanks for the link in your last post. I reviewed the information and it shed some light on my issue. Before I make any further changes I would like to see if you answer a question that I have about my ACL. I have replaced the actual IP addresses with fictional ones. I always test the integrity of an ACL by relating the incoming traffic to a marble dropping through each line. Now when the marble drops into this ACL at lines 3 - 6 it is basically granted access to everything right? The following lines really have no bearing once that access is attained. Is that correct? If I remove lines 3-6 or relocate them to the bottom will my ACL do you think that I will get the desired result or will all incoming traffic be denied?
Thanks,
Wayne
permit icmp any any log
permit tcp any 1.2.3.4 0.0.0.15 eq www log
permit udp any eq domain any
permit udp any any eq domain
permit tcp any eq domain any
permit tcp any any eq domain
permit tcp any host 1.2.3.4 eq telnet
permit tcp any host 1.2.3.4 eq smtp
permit tcp host 5.6.7.8 host 1.2.3.4 eq 3005
permit tcp any any established
deny ip any any log
deny tcp any any log
deny udp any any log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide