Solved: No, it does not work. - Page 3

j_j624001 · ‎12-18-2015

Hello;
I need some help on securing certain ports in/out my network

So i tried and tried and tried different configurations difference scenriaos far as my access-list to allow only certain ports in and out.

What i would like to do on my outside interface is have only port 7,53, 80, 443, and 8080 allowed; where as my inside internal interface i would like to have port 7,21,22,23,25,53,67,80,110,123,143,443,1500,1501, and 8080; yes i know ports by the back of my head and these are the only port i want to be allowed inside my interface so all my computers/servers can talk/share/ping/ftp etc etc to each other.

Any ideas that could help ??

j_j624001 · ‎12-18-2015

u got to be shitting me... WTF !!!!!!!

so whats different from all this time; my firewall is disable; aight cool seems to be working fine; i tried a few sites i was able to view webpage; but im like confused on what was changed ...

Standard IP access list 50
    10 permit 10.10.0.0, wildcard bits 0.0.255.255 (7883 matches)
Extended IP access list filter-inbond
    10 permit udp any eq domain any (486 matches)
    20 permit icmp any any echo-reply (15 matches)
    30 permit tcp any eq www any established (15552 matches)
    40 permit tcp any eq 443 any established (3464 matches)
    50 permit tcp any eq 8080 any established
    60 deny ip any any (7 matches)
Extended IP access list filter-outbond
    10 permit tcp any any eq www (8154 matches)
    20 permit tcp any any eq 443 (2635 matches)
    30 permit tcp any any eq 8080
    40 permit udp any any eq domain (162 matches)
    50 permit icmp any any echo
    60 deny ip any any

Masoud Pourshabanian · ‎12-18-2015

It was my fault. I kept coping and pasting. I changed all ports order but forgot to change UDP. Let me tell you something. If you need to add a port make sure that port is permitted above deny deny and also you need to change the order.

For example, I am adding port 25. look at location of 25. It is above deny deny and also it is after two any in outbond, but between two any in inbond

ip access-list extended filter-inbond
permit udp any eq domain any
permit icmp any any echo-reply
permit tcp any eq www any   established
permit tcp any eq 443 any   established
permit tcp any eq 8080 any established
permit tcp any eq 25 any established
deny ip any any

ip access-list extended filter-outbond
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 25
permit tcp any any eq 8080
permit udp any any eq domain
permit icmp any any echo
deny   ip any any

************************************************************

For internal to internal , you need to config your switch. Follow step by step

connect to your switch by console. For more security create a VLAN
conf t
vlan 5
name mylan

put all active interfaces in vlan 5 and interface toward your router
shutdown all inactive interfaces

interface fa0/1
switchport access vlan 5
interface fa0/2
switchport access vlan 5

and repeat

you can use range for example
interface range fa0/1-10
switchport access vlan 10

access-list 101 permit tcp any any eq 80
access-list 101 permit TCP any any eq 443
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 1500
access-list 101 permit tcp any any eq 1501
access-list 101 permit udp any any eq 53
access-list 101 permit udp any any eq ntp

access-list 101 permit icmp any any

vlan access-map LAN-CONTROL 10
match ip address 101
action forward
vlan access-map LAN-CONTROL 20
action drop

vlan filter LAN-CONTROL vlan-list 5

check internet and connectivity.

j_j624001 · ‎12-18-2015

Ok;

I'll try it later on tonight; gotta take care of some house duties; thanks for all the help; kind crazy on how things went with all the configurations lol; ill make sure ill do a test run on the switch later on.

Thanks Again

Masoud Pourshabanian · ‎12-18-2015

your welcome. give me your feedback.

j_j624001 · ‎12-21-2015

Hey Masoud;

How are you ??

Are you there ???

Masoud Pourshabanian · ‎12-21-2015

Hello,

I am here. How are you? Did you try VLAN access-list?

j_j624001 · ‎12-21-2015

Hey;

I'm doing pretty good so far; can't complain just one day at a time................

yes I did tired multiple times; but there is a problem with the command you sent me;

this part right here I don't have this configuration listed in my global config;

vlan access-map LAN-CONTROL 10

....................................................................

SW1(config)#vlan ?
WORD ISL VLAN IDs 1-4094
internal internal VLAN

SW1(config)#vlan

even when I try the interface its still not there to configured

the only way I can add a rule is to use ip access-group 101 in or out; unless you see a different configuration to implement my access-list

access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 1500
access-list 101 permit tcp any any eq 1501
access-list 101 permit udp any any eq domain
access-list 101 permit udp any any eq ntp
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 22

SW1(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').

Masoud Pourshabanian · ‎12-21-2015

It is the same issue with SSH you had before. You need to upgrade your IOS to support security features.

j_j624001 · ‎12-21-2015

Yea; seems like it; well I don't have any software to upgrade since these are kinda old; I think the best way would to be

Ex:

config t

interface vlan10

ip access-group in

ip access-group out

then

assign each interface with

switchport access vlan 10

that should logical work with internal to internal

Masoud Pourshabanian · ‎12-21-2015

No, it does not work. Interface VLAN in layer 2 switch is only for management.

If you apply access-list, you only limit access to switch. It does not limit clients.

There is one way to put limitation if you not able to upgrade your IOS.

Divide your network to several groups and configure access-list. It is a little complex but I can help if you can divide your network logically. For example

Servers, client group 1- client group 2 or so

You can configure access-list for different group communication, but still computers within a group can see each other directly.

j_j624001 · ‎12-21-2015

oooh ok; so that type of setup wouldn't work in layer 2.

Well if you wanna do it by groups I would possible 3 groups

Server group

Client group

Backup group

So how would I be able to implemented that configuration into groups ???

Masoud Pourshabanian · ‎12-21-2015

You create 3 VLANs then create interface VLAN on you router. You apply ACL on your router.

It is not that complicated. You are handy in configuration now.

Please open a new post. This post is too long.

j_j624001 · ‎12-21-2015

ok its called internal to internal ports

Masoud Pourshabanian · ‎12-18-2015

try this one one more time. Just copy paste it.

ip access-list extended filter-inbond
permit udp any eq domain any
permit icmp any any echo-reply
permit tcp any eq www any   established
permit tcp any eq 443 any   established
permit tcp any eq 8080 any established
deny ip any any

ip access-list extended filter-outbond
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit udp any any eq domain
permit icmp any any echo
deny   ip any any

interface FastEthernet0
description OUT
ip access-group filter-inbond in
ip access-group filter-outbond out

show access-list

Masoud Pourshabanian · ‎12-18-2015

Try my last configuration. I made a small change.

Cisco Router 1800/Cisco Switch 2960 Access List Help !!!!!!!!!!!!