06-16-2008 09:01 AM - edited 03-03-2019 10:22 PM
I have placed a 2801 router at a competitor/customer site that is involved in a joint project. We have set up a server for them to use as a share drive. I am trying to place a very tight ACL to only give them access to the IP 10.20.200.11. I know it's easier to build in the SDM but I want to learn how to effectively do it manually. This is an example of what I came up with. Please don't laugh it's my first ACL.
access-list 101 permit ip any host 10.20.200.11
access-list 101 permit icmp any host 10.20.200.11
access-list 101 permit tcp any host 10.20.200.11
access-list 101 permit udp any host 10.20.200.11
06-16-2008 09:08 AM
Donnie
The first line
access-list 101 permit ip any host 10.20.200.11
is the only one you need because the "permit ip" covers icmp/tcp & udp.
But even the first line is somewhat open. Do you know the customer subnet range and do you know what they want to access on your server.
So for example if there local network was 192.168.5.0/24 and they wanted to use http & telnet
access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 23
access-list 101 permit tcp 192.168.5.0 0.0.0.255 host 10.20.200.11 eq 80
There is nothing wrong with using the "permit ip", you just need to be aware of what it is allowing.
Jon
06-16-2008 10:41 AM
Jon, they are only accessing a drive on the server. I want to lock it down so that they don't see anything else on the network accept for the drive on 10.20.200.11 . I was going to apply it in on the serial/T1 out.
Thank you very much for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide