Solved: Re: Deny access to my 3 servers from any host not in my network

eclipse81 · ‎07-16-2010

Hi every body,

I have known last days that some robots ( or hackers) I dont know extactly , but some atacks which coming from the WAN (Internet) try to access to 3 SIP servers in our LAN to register their account.

Now I want to deny any host out of my LAN to access my 3 SIP servers via the 5060 to 5080 ports by indentify the ip server and the ip source.

I want to do it in my CATALYST 2950 where are connected also the router managed by our internet provider and the 3 SIP servers.

Is that possible and how can I do that ( I have never configured ACL in a cisco equipment and don't want to do errors which can stop all activities in our trafic)

Thanks everybody

PS: Server Ip adress : 192.168.1.2 / 192.168.1.242 / 192.168.11.252

So all host in this network 192.168.1.0 and 192.168.11.0 can access to the 3 SIP servers but the others must be deny only by the

ports 5060 to 5080 ( because the technical support access to the servers via ssh or telnet or http)

Ganesh Hariharan · ‎07-17-2010

Yes it's great,

I think that will be ok. I'll try it tomorrow because not at job.

But for the last line why "Switch(config-if)# ip access-group 102 in" I think it wwill be "Switch(config-if)# ip access-group 1110 in" for your example.

I'll tell you tomorrow

Thanks and regards.

PS: Also for my personal knowledge does this ACL do the same thing but now we apply it where for example the server 192.168.1.2 is connected on the catalyst

Switch(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.2 range 5060 5080

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 110 in

I am sorry that was type error, the above example of acl which youu have written that of no need as the server and the source are in same subnet and as per your requirement you need to give permission to local lan subnet apart from internet users on port range 5060 to 5080.

so try the configuration in my previous post and share the results.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Ganesh Hariharan · ‎07-16-2010

Hi every body,

I have known last days that some robots ( or hackers) I dont know extactly , but some atacks which coming from the WAN (Internet) try to access to 3 SIP servers in our LAN to register their account.

Now I want to deny any host out of my LAN to access my 3 SIP servers via the 5060 to 5080 ports by indentify the ip server and the ip source.

I want to do it in my CATALYST 2950 where are connected also the router managed by our internet provider and the 3 SIP servers.

Is that possible and how can I do that ( I have never configured ACL in a cisco equipment and don't want to do errors which can stop all activities in our trafic)

Thanks everybody

PS: Server Ip adress : 192.168.1.2 / 192.168.1.242 / 192.168.11.252

So all host in this network 192.168.1.0 and 192.168.11.0 can access to the 3 SIP servers but the others must be deny only by the

ports 5060 to 5080 ( because the technical support access to the servers via ssh or telnet or http)

Hi,

If i understand the requirement is only local lan can access these server not any body from internet on ports 5060 and 5080

Apply this ACL in the port from where the router cable is getting connected i means from where the internet traffic is coming to your local lan

Switch(config)# access-list 110 deny tcp any host 192.168.1.2 range 5060 5080
Switch(config)# access-list 110 deny tcp any host 192.168.1.242 range 5060 5080
Switch(config)# access-list 110 deny tcp any host 192.168.11.0 range 5060 5080

Switch(config)# access-list 110 permit ip any any

Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group 102 in

The above ACL will block any traffic source on your three servers on port 5060 to 5080 and as remaing host are in local lan they will able to access these servers.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html#wp1285529

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

eclipse81 · ‎07-16-2010

Yes it's great,

I think that will be ok. I'll try it tomorrow because not at job.

But for the last line why "Switch(config-if)# ip access-group 102 in" I think it wwill be "Switch(config-if)# ip access-group 1110 in" for your example.

I'll tell you tomorrow

Thanks and regards.

PS: Also for my personal knowledge does this ACL do the same thing but now we apply it where for example the server 192.168.1.2 is connected on the catalyst

Switch(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.2 range 5060 5080

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 110 in

Ganesh Hariharan · ‎07-17-2010

Yes it's great,

I think that will be ok. I'll try it tomorrow because not at job.

But for the last line why "Switch(config-if)# ip access-group 102 in" I think it wwill be "Switch(config-if)# ip access-group 1110 in" for your example.

I'll tell you tomorrow

Thanks and regards.

PS: Also for my personal knowledge does this ACL do the same thing but now we apply it where for example the server 192.168.1.2 is connected on the catalyst

Switch(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.2 range 5060 5080

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip access-group 110 in

I am sorry that was type error, the above example of acl which youu have written that of no need as the server and the source are in same subnet and as per your requirement you need to give permission to local lan subnet apart from internet users on port range 5060 to 5080.

so try the configuration in my previous post and share the results.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

eclipse81 · ‎07-17-2010

Hi mr garnesh,

I do what you tell me to do but I can affect this ACL into an interface of my catalyst?!!!

I don'k know why ( may be my catalyst os version or an upgrading is missing) but this is what i get finaly

Swich(config-if)#ip access-group 110 in
^
% Invalid input detected at '^' marker.

Swich(config-if)#ip ?
Interface IP configuration subcommands:
dhcp DHCP
igmp IGMP interface commands

Swich#show version

Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 23-Mar-05 15:33 by yenanh
Image text-base: 0x80010000, data-base: 0x80562000

ROM: Bootstrap program is C2950 boot loader

Swich uptime is 24 weeks, 5 days, 23 hours, 11 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA4.bin"

cisco WS-C2950-24 (RC32300) processor (revision R0) with 21039K bytes of memory.
Processor board ID FCZ0925Y09A
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:14:6A:44:18:00
Motherboard assembly number: 73-5781-13
Power supply part number: 34-0965-01
Motherboard serial number: FOC09211JFL
Power supply serial number: DAB090835E0
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FCZ0925Y09A
Configuration register is 0xF

Swich#

Regards

Ganesh Hariharan · ‎07-18-2010

Hi mr garnesh,

I do what you tell me to do but I can affect this ACL into an interface of my catalyst?!!!

I don'k know why ( may be my catalyst os version or an upgrading is missing) but this is what i get finaly

Swich(config-if)#ip access-group 110 in
^
% Invalid input detected at '^' marker.

Swich(config-if)#ip ?
Interface IP configuration subcommands:
dhcp DHCP
igmp IGMP interface commands

Swich#show version

Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 23-Mar-05 15:33 by yenanh
Image text-base: 0x80010000, data-base: 0x80562000

ROM: Bootstrap program is C2950 boot loader

Swich uptime is 24 weeks, 5 days, 23 hours, 11 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-22.EA4.bin"

cisco WS-C2950-24 (RC32300) processor (revision R0) with 21039K bytes of memory.
Processor board ID FCZ0925Y09A
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:14:6A:44:18:00

Motherboard assembly number: 73-5781-13

Power supply part number: 34-0965-01

Motherboard serial number:

Hi,

Check out the below link for configuring ACL in cisco 2950 series switches with example and procedure.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/swacl.html

Hope to help !!

Ganesh.H

Remember to rate the helpful post

Nagaraja Thanthry · ‎07-19-2010

Hello,

2950 switches are pure layer 2 switches. So, you can apply the access-list only to the VLAN SVI. Per the document:

The ip access-group interface configuration command is only valid when applied to a management interface of a Layer 2 interface. ACLs cannot be applied to interface port-channels.

Hope this helps.

Regards,

NT

eclipse81 · ‎07-20-2010

Okay I think so.

I have also another catalyst (2960) and I connect my router on this catalyst and apply the ACL.

It's working now.

Thanks every body for help me.

PS: I get you but what do you mean when you say VLAN SVI ( I know VLAN but SVI????)

Nagaraja Thanthry · ‎07-20-2010

Hello,

The SVI refers to the layer 3 interface on the switch (Switch virtual interface).

Regards,

NT