Restricting access

jpgleason · ‎03-10-2013

My company is in the process of being audited (annual event) and my manager wanted me to lock down access to our switches from our workstation network for ports 80, 443, 22, 23. I created access-lists and applied the access-lists to our "traversing" VLAN and it worked. I could not access the switchs from my workstation but I was able to access them from a server that was set up on a different VLAN just for this (kind of like a monitoring/security server).

One thing appears to have been an inadvertent consequence of this action. I am not able to access a website using port 80 in a branch office.

Is there a way to lock down access to the switches against audit scanners w/ out disrupting other network traffic? I used the configs below.

access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 80

access-list 101 permit ip any any

int vlan 2

ip access-group 101 in

Thanks,

jawad-mukhtar · ‎03-10-2013

access-list 101 permit ip host (Your IP 192.168.1.x) any

access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 80

access-list 101 permit ip any any

*** Do Rate Helpful Posts***

Jawad

blau grana · ‎03-11-2013

hello jpgleason,

Better solution would be create two separate ACLs, one for vty access and other to http/https access.

ip acccess list extended MGMT

permit ip xyz any

deny ip any any

ip acccess list standard 99

permit xyz

deny ip any

line vty 0 4

access-class MGMT in

ip http access-class 99

You will allow or deny IPs which are desirable or not to access your router. It more scalable and better solution cause you do not have to apply ACLs on every interface which can be used to access router.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions