ACL TCP/UDP port access

whutchinson · ‎04-29-2003

I want to grant an outside network access to a particular port on an IP address on my network. I entered the line below on my ACL yesterday then went home to see if my IP address was allowed. It was. I was expecting to be denied. I'm back to square one. The 1st IP address is the remote network. The 2nd one is my network's IP address. Any ideas? (The IP addresses below are not actual.)

access-list 125 permit tcp 111.111.111.111 0.0.0.0 112.112.112.112 0.0.0.0 eq 3005

Thanks!!

jmia · ‎04-30-2003

Hi Wayne,

Pls correct me if I've read your post incorrectly, you say you want to grant access to the inside interface from a remote network but then you imply that you wanted to see this as denied?

1. Your ACL looks okay - but which interface have configured it to, inside/outside?

2. If want to give the remote IP access only to the inside IP/port and if you have NAT/PAT applied then you'll require a static translation on your pix (I presume you are using a pix or are you doing this on router?)

> on pix > static (inside,outside) tcp 111.111.111.111 3005 112.112.112.112 3005 netmask 255.255.255.255 0 0

3. Now create ACL for the outside interface i.e.

> access-list_outside permit tcp host 111.111.111.111 host (your outside interface IP) eq 3005

4. Make sure you also clear xlate and write to memory.

Hope this helps -

whutchinson · ‎04-30-2003

Thank You for your reply. I did actually fail to mention that this change is being made on a Cisco 1600R router and not a PIX. I tried to access the resource on that TCP/IP address and port last night and I was able to access it. The desired result is to be denied access unless I have the specific IP address in the entry. This is on the Serial sub interface.

jmia · ‎04-30-2003

Hi Wayne,

Okay your using a c1600 so with this in mind here is a fine document that will (hopefully) sort out your problem, let me know how get on.

http://www.cisco.com/warp/public/707/confaccesslists.html#

Hope this helps -

whutchinson · ‎04-30-2003

Jay,

Thanks for the link in your last post. I reviewed the information and it shed some light on my issue. Before I make any further changes I would like to see if you answer a question that I have about my ACL. I have replaced the actual IP addresses with fictional ones. I always test the integrity of an ACL by relating the incoming traffic to a marble dropping through each line. Now when the marble drops into this ACL at lines 3 - 6 it is basically granted access to everything right? The following lines really have no bearing once that access is attained. Is that correct? If I remove lines 3-6 or relocate them to the bottom will my ACL do you think that I will get the desired result or will all incoming traffic be denied?

Thanks,

Wayne

permit icmp any any log

permit tcp any 1.2.3.4 0.0.0.15 eq www log

permit udp any eq domain any

permit udp any any eq domain

permit tcp any eq domain any

permit tcp any any eq domain

permit tcp any host 1.2.3.4 eq telnet

permit tcp any host 1.2.3.4 eq smtp

permit tcp host 5.6.7.8 host 1.2.3.4 eq 3005

permit tcp any any established

deny ip any any log

deny tcp any any log

deny udp any any log