04-09-2015 03:44 PM - edited 03-07-2019 11:28 PM
hey guys I am messing around with a cisco ios switch and firewall syntax for the first time.
I am just trying to figure out if my syntax is correct before I actually go on and do this for a business switch
Currently, I am trying to: (also, this is being taken place in a area border router )
1. Allow SSH (tcp destined to port 22) from
10.0.0.0/8
131.11.11.11/32 (fake ip)
into my entire network (10.25.0.0/16).
2 Disallow all other SSH (tcp destined to port 22) to MY network.
3 Allow all other traffic inbound to my network.
and I am implementing this on my border routers
Extended IP access list 100
100 permit tcp 10.0.0.0 0.255.255.255 host 10.25.0.0 eq 22
200 permit tcp host 131.11.11.11 host 10.25.0.0 eq 22
300 deny tcp any host 10.25.0.0 eq 22
400 permit ip any host 10.25.0.0
999 permit ip any 10.25.0.0 0.0.255.255
Now, for rule 400 - would this be correct syntax to allow all other traffic inbound to my network?
And for rule 999 - I want to permit all other traffic (that is not tcp to port 22 to your network) is this correct?
thanks a bunch guys
Solved! Go to Solution.
04-09-2015 05:59 PM
Yes, each entry needs to have "10.25.0.0 0.0.255.255" instead of the host part, just like your last line.
And also like I say line 400 isn't needed as long as you still have the last line as it would simply be a copy of it.
Jon
04-09-2015 04:05 PM
This is not firewall syntax, it is just an acl.
But assuming that is what you are trying to do there are a couple of things wrong -
1) all lines except the last one refer to "host 10.25.0.0".
This can't be right as it is not as host address and based on your requirements you want to allow it to your entire network so the destination in your acl lines should be the same as the last ie. "10.25.0.0 0.0.255.255"
2) line 400 isn't needed because as above the host part isn't right and the last line allows all IP to your network.
Do you actually want to restrict access to certain hosts ?
Jon
04-09-2015 05:40 PM
hey jon! Thank you so much for the reply!! Oh, so adding host is wrong? Yeah, I am actually trying to involve the whole 10.25.0.0 network. So I need to add the wildcard bitmap, correct?
04-09-2015 05:59 PM
Yes, each entry needs to have "10.25.0.0 0.0.255.255" instead of the host part, just like your last line.
And also like I say line 400 isn't needed as long as you still have the last line as it would simply be a copy of it.
Jon
04-09-2015 06:36 PM
thanks so much buddy!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide