cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4036
Views
0
Helpful
44
Replies

Cisco Router 1800/Cisco Switch 2960 Access List Help !!!!!!!!!!!!

j_j624001
Level 1
Level 1

Hello;
I need some help on securing certain ports in/out my network 


So i tried and tried and tried different configurations difference scenriaos far as my access-list to allow only certain ports in and out.


What i would like to do on my outside interface is have only port 7,53, 80, 443, and 8080 allowed; where as my inside internal interface i would like to have port 7,21,22,23,25,53,67,80,110,123,143,443,1500,1501, and 8080; yes i know ports by the back of my head and these are the only port i want to be allowed inside my interface so all my computers/servers can talk/share/ping/ftp etc etc to each other.

Any ideas that could help ??

2 Accepted Solutions

Accepted Solutions

It was my fault. I kept coping and pasting. I changed all ports order but forgot to change UDP. Let me tell you something. If you need to add a port make sure that port is permitted above deny deny and also you need to change the order.

For example, I am adding port 25. look at location of 25. It is above deny deny and also it is after two any in outbond, but between two any in inbond

ip access-list extended filter-inbond
  permit udp any eq domain any
  permit icmp any any echo-reply
  permit tcp any eq www any   established
  permit tcp any eq 443 any   established
  permit tcp any eq 8080 any  established
  permit tcp any eq 25 any  established
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 25
 permit tcp any any eq 8080
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any

************************************************************

For internal to internal , you need to config your switch. Follow step by step

connect to your switch by console. For more security create a VLAN
conf t
vlan 5
name mylan

put all active interfaces in vlan 5 and interface toward your router
shutdown all inactive interfaces

interface fa0/1
switchport access vlan 5
interface fa0/2
switchport access vlan 5


and repeat


you can use range for example
interface range fa0/1-10
switchport access vlan 10




access-list 101 permit tcp any any eq 80
access-list 101 permit TCP any any eq 443
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 1500
access-list 101 permit tcp any any eq 1501
access-list 101 permit udp any any eq 53
access-list 101 permit udp any any eq ntp

access-list 101 permit icmp any any



vlan access-map LAN-CONTROL 10
match ip address 101
action forward
vlan access-map LAN-CONTROL 20
action drop

vlan filter LAN-CONTROL vlan-list 5

check internet and connectivity.

View solution in original post

your welcome. give me your feedback.

View solution in original post

44 Replies 44

Duplicate post.

on my side its new.. .New discussion what im looking over here; i just cleared my profile notification; good over here

Hello,

What do you mean by inside and outside? Specify the direction.

inside to outside  which port?

outside to inside which port?

inside to inside. Do you need any control?

Outside interfaces:
  FastEthernet0 - Out to the Internet only (WWW,DNS,WWW2,HTTPS,ECHO)
Inside interfaces:
  FastEthernet1 - Inside to everyone

inside to outside  which port - 7,53,80,443,8080

outside to inside which port - 7,53,80,443,8080

inside to inside - 7,21,22,23,25,53,67,80,110,123,143,443,1500,1501, and 8080

Lets try this one. This access-list allows only connection which is initiate from inside.

Try this one at first. We will go for the inside to inside.

ip  access-list extended filter-outbond
permit tcp any any eq 80 reflect CHECK-TRAFFIC
permit udp any any eq 53 reflect CHECK-TRAFFIC
permit TCP any any eq 443 reflect CHECK-TRAFFIC
permit tcp any any eq 8080 reflect CHECK-TRAFFIC

permit icmp any any eq echo

Deny ip any any

ip access-list extended filter-inbound
permit icmp any any eq echo-reply
evaluate  CHECK-TRAFFIC
Deny ip any any


interface fa0
ip access-group filter-inbound in
ip  access-group filter-outbond out

Thats a negative on that configuration; even with my tested computer firewall disable; still no access to the network.

!
ip access-list extended filter-inbound
 evaluate CHECK-TRAFFIC
 deny   ip any any
 permit icmp any any echo
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit udp any any eq domain reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 deny   ip any any

interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbound in
 ip access-group filter-outbound out

Make sure you tested the new one. I had some spelling mistakes. I fixed them.

edited

You changed the order and removed a command. Remove the all previews ones and add this one.

Try ping and browse.

ip access-list extended filter-inbond
  permit udp any eq domain any
  permit icmp any any echo-reply
  evaluate CHECK-TRAFFIC
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any

interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbond in
 ip access-group filter-outbond out

Give your feedback. What is you IOS version? If it does not work, I give you another one.

LMAO !!!! I'm sry im just buggin on how this isn't working; what you posted in the previous msg it didn't work so i thought about it and tried vice versa still didn't work; but once all is removed im back on the net..

version 12.4

Please keep them coming i got all night lmao !!!!!!!!

I had spelling mistake. Remove them all and try. I edited my post.

ip access-list extended filter-inbond
  permit udp any eq domain any
  permit icmp any any echo-reply
  evaluate CHECK-TRAFFIC
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any

interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbond in
 ip access-group filter-outbond out

Hey this is strange;

As i was removing one by one i was watching my network center; once i removed all the inbound rules; i have internet action; see configuration

ip access-list extended filter-inbound
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any echo
 deny   ip any any

interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbound in
 ip access-group filter-outbound out

listen to me.

remove them all. If you you check the bold part, you will see I have spelling mistake.

no ip access-list extended filter-inbound

no ip access-list extended filter-outbond

interface FastEthernet0

no ip access-group filter-inbound in
no  ip access-group filter-outbound out

Then this one.

***************************

ip access-list extended filter-inbond
  permit udp any eq domain any
  permit icmp any any echo-reply
  evaluate CHECK-TRAFFIC
  deny ip any any
 
ip access-list extended filter-outbond
 permit tcp any any eq www reflect CHECK-TRAFFIC
 permit tcp any any eq 443 reflect CHECK-TRAFFIC
 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
 permit udp any any eq domain
 permit icmp any any  echo
 deny   ip any any

interface FastEthernet0
 description OUT
 ip address 192.168.0.X 255.255.255.0
 ip access-group filter-inbond in
 ip access-group filter-outbond out

Nope didn't work with that reposted configuration; What i saw was in my network center i was connected to the internet but when i try to access a website it states "This page can't be displayed" even with my firewall on my computer disabled.