05-05-2009 09:05 PM - edited 02-20-2020 09:41 PM
I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
ip-access-list extended ACL_TCP
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
permit tcp any any established
Is there a better way to do this? Does this extended ACL work for my purpose?
Solved! Go to Solution.
05-06-2009 12:10 PM
Say R2's address is 192.168.1.2, and you want to only allow that address. You would create the acl on R1 and R3, and they would look like:
R1: 192.168.1.1
R3: 192.168.1.3
access-list 23 permit host 192.168.1.2
you can apply this to your line on R1 and R3:
line vty 0 4
access-class 23 in
HTH,
John
05-06-2009 01:22 PM
If fa0/0 is your internet-facing side, then yes it would. Your fa0/1 would be lan-facing. Wherever you put the public ip address that the provider gives you is where you'd put the acl, and it would go in the inbound direction.
access-class can use either standard or extended acls.
ip access-list ext TELNET
permit ip host 192.168.1.2 any eq 23
line vty 0 4
access-class TELNET in
That should work =)
HTH,
John
05-06-2009 11:46 AM
What direction did you apply this? I'm assuming in the inbound direction?
Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
Try the following:
ip access-list ext ACL_TCP
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
Apply to your loopback:
ip access-group ACL_TCP in
Next question:
Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
HTH,
John
05-06-2009 12:03 PM
Thank you for the help! I figured it would be easier just to do the three statements than what I was trying to do.
Its applied to the inbound interface correct. I figured that was the correct way to stop those three to getting to PC1.
In this excersise, there is an internet cloud not connected to any physical interface but just the loop back. The two physical interfaces are connected to R1 and R3.
Another question I have is still pertaining to ACL's. It says Allow telnet to R1 and R3 from R2 only. I am kinda confused on this one.
05-06-2009 12:10 PM
Say R2's address is 192.168.1.2, and you want to only allow that address. You would create the acl on R1 and R3, and they would look like:
R1: 192.168.1.1
R3: 192.168.1.3
access-list 23 permit host 192.168.1.2
you can apply this to your line on R1 and R3:
line vty 0 4
access-class 23 in
HTH,
John
05-06-2009 12:53 PM
Ok that makes sense, I was confused because how it was worded. The telnet would be a standard ACL?
The previous question I had about the extended ACL, apparently that loopback will be on a f0/0. So I would apply that extended ACL on that interface on the inbound correct?
05-06-2009 01:22 PM
If fa0/0 is your internet-facing side, then yes it would. Your fa0/1 would be lan-facing. Wherever you put the public ip address that the provider gives you is where you'd put the acl, and it would go in the inbound direction.
access-class can use either standard or extended acls.
ip access-list ext TELNET
permit ip host 192.168.1.2 any eq 23
line vty 0 4
access-class TELNET in
That should work =)
HTH,
John
05-06-2009 01:36 PM
Thank you very much for your input! If I have any more issues with ACL's I will post more in this thread.
You helped me clear up a-lot of stuff.
05-06-2009 01:41 PM
Always glad to hear it helped :)
I realized I made a typo:
I put ip on the acl, but it should be tcp if you're going to use the port on the end of the acl. Otherwise, it would just be:
permit ip host 192.168.1.1 any
:)
Thanks for the ratings!!
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide