Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
0
Helpful
4
Replies

question about firewall syntax on cisco ios

Go to solution
willchap86
Level 1
Level 1

‎04-09-2015 03:44 PM - edited ‎03-07-2019 11:28 PM

hey guys I am messing around with a cisco ios switch and firewall syntax for the first time.

I am just trying to figure out if my syntax is correct before I actually go on and do this for a business switch

Currently, I am trying to: (also, this is being taken place in a area border router )

1. Allow SSH (tcp destined to port 22) from 
    10.0.0.0/8
    131.11.11.11/32 (fake ip)
   into my entire network (10.25.0.0/16). 

2  Disallow all other SSH (tcp destined to port 22) to MY network.
3  Allow all other traffic inbound to my network.

   and I am implementing this on my border routers

Extended IP access list 100
    100 permit tcp 10.0.0.0 0.255.255.255 host 10.25.0.0 eq 22
    200 permit tcp host 131.11.11.11 host 10.25.0.0 eq 22
    300 deny tcp any host 10.25.0.0 eq 22
    400 permit ip any host 10.25.0.0
    999 permit ip any 10.25.0.0 0.0.255.255

Now, for rule 400 - would this be correct syntax to allow all other traffic inbound to my network?

And for rule 999 - I want to permit all other traffic (that is not tcp to port 22 to your network) is this correct?

thanks a bunch guys

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to willchap86

‎04-09-2015 05:59 PM

Yes, each entry needs to have "10.25.0.0 0.0.255.255" instead of the host part, just like your last line.

And also like I say line 400 isn't needed as long as you still have the last line as it would simply be a copy of it.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-09-2015 04:05 PM

This is not firewall syntax, it is just an acl.

But assuming that is what you are trying to do there are a couple of things wrong -

1) all lines except the last one refer to "host 10.25.0.0".

This can't be right as it is not as host address and based on your requirements you want to allow it to your entire network so the destination in your acl lines should be the same as the last ie. "10.25.0.0 0.0.255.255"

2) line 400 isn't needed because as above the host part isn't right and the last line allows all IP to your network.

Do you actually want to restrict access to certain hosts ?

Jon

 

0 Helpful

Go to solution
willchap86
Level 1
Level 1
In response to Jon Marshall

‎04-09-2015 05:40 PM

hey jon! Thank you so much for the reply!! Oh, so adding host is wrong? Yeah, I am actually trying to involve the whole 10.25.0.0 network. So I need to add the wildcard bitmap, correct?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to willchap86

‎04-09-2015 05:59 PM

Yes, each entry needs to have "10.25.0.0 0.0.255.255" instead of the host part, just like your last line.

And also like I say line 400 isn't needed as long as you still have the last line as it would simply be a copy of it.

Jon

0 Helpful

Go to solution
willchap86
Level 1
Level 1
In response to Jon Marshall

‎04-09-2015 06:36 PM

thanks so much buddy!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card