Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
1
Replies

Applying Extended Access-list help

tmcmillion
Level 1
Level 1

‎02-20-2003 12:02 PM - edited ‎02-20-2020 09:20 PM

I am try to secure my network from the outside world using FW IOS on a 2621.

I have created the ACL's I think I need but am not sure what Interface they need to be applied on and in what direction in/out. I have supplied a copy of my config. without the ACL's applied to the interfaces.

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname OOPINTRT100

!

no logging console

!

!

ip subnet-zero

no ip finger

ip domain-name ALTER.NET

ip name-server 198.6.1.2

ip name-server 172.31.3.9

!

ip inspect dns-timeout 30

ip inspect name to_internet ftp timeout 900

ip inspect name to_internet http timeout 300

ip inspect name to_internet smtp

ip inspect name to_internet tftp

ip inspect name to_internet udp timeout 30

ip inspect name to_internet tcp timeout 43200

ip inspect name to_internet cuseeme

ip inspect name to_internet h323

ip inspect name to_internet rcmd

ip inspect name to_internet realaudio

ip inspect name to_internet rtsp

ip inspect name to_internet sqlnet

ip inspect name to_internet streamworks

ip inspect name to_internet vdolive

ip inspect name to_internet fragment maximum 256 timeout 10

ip inspect name to_internet netshow

ip audit notify log

ip audit po max-events 100

!

!

interface FastEthernet0/0

description To NYCT Gateway Server

ip address 66.66.66.65 255.255.255.192

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

bandwidth 1536

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

no fair-queue

service-module t1 timeslots 1-24

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

description Circuit wcomoh36544

bandwidth 1536

ip address 66.66.66.1 255.255.255.192

ip nat outside

no ip mroute-cache

no cdp enable

frame-relay interface-dlci 500 IETF

!

interface FastEthernet0/1

description TO OFFICE INTERNET

ip address 172.31.0.100 255.255.0.0

ip nat inside

ip inspect to_internet out

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

ip nat pool OHIO 66.66.66.2 66.66.66.2 netmask 255.255.255.192

ip nat inside source list internet_out pool OHIO overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0.1

ip route 10.0.0.0 255.0.0.0 63.114.65.66

ip route 172.17.0.0 255.255.0.0 172.31.0.1

ip route 172.21.0.0 255.255.0.0 172.31.0.1

ip route 172.29.0.0 255.255.0.0 172.31.0.1

no ip http server

!

!

ip access-list extended NYCTA_out

permit tcp any any

permit udp any any

permit icmp any any

permit ip 10.0.0.0 0.0.0.255 any

!

!

ip access-list extended internet_in

deny ip 192.168.0.0 0.0.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

permit tcp any any eq 5900

permit tcp any any eq 50

permit tcp any any eq 51

permit udp any any eq isakmp

permit icmp any any echo-reply

permit icmp any any administratively-prohibited

permit icmp any any traceroute

permit icmp any any unreachable

permit icmp any any time-exceeded

deny icmp any any redirect

permit tcp any any eq 22

permit ip 10.0.0.0 0.0.0.255 any

deny ip any any

ip access-list extended internet_out

permit tcp any any

permit udp any any

permit icmp any any

permit ip 172.16.0.0 0.15.255.255 any

Labels:
0 Helpful
1 Reply 1

raymong
Level 4
Level 4

‎02-24-2003 05:55 AM

Based on your config, you will apply "internet_in" inbound on the serial0/0.1 interface. I can not tell which interface you would apply the "NYCTA_out" list on because although you have a route for the 10.x.x.x subnet, it points to a next-hop address of 63.114.65.66. You do not have an interface configured on this router that is connected to the 63 network, so the router will route traffic out the frame connection to your ISP to get to the 10.x.x.x subnet. Since the 10.x.x.x subnet is a private unrouteable subnet, this will not work. If you mis-typed the next hop address and the 10 subnet is really connected to the FastEthernet0/0 interface, you would apply the "NYCTA_out" list inbound on the fast ethernet 0/0 interface.

0 Helpful
Customers Also Viewed These Support Documents