I have an extended access list that I have constructed for my serial interface facing the internet. I have permitted services that I need inbound, and tried to block everything else.
For whatever reason, when I apply it INBOUND to the serial 0/0 int on our 2600 router, it blocks access on the few ports it is supposed to allow...
This is the ACL:
access-list 111 remark "Allow connections originating from Inside back i
access-list 111 permit tcp any any established
access-list 111 permit tcp any 192.168.0.0 0.0.255.255 eq www established
access-list 111 permit tcp any host 192.168.1.11 eq smtp
access-list 111 permit tcp any host 192.168.1.12 eq 1494
access-list 111 permit udp any any eq domain
access-list 111 permit udp any host 192.168.1.12 eq 1604
access-list 111 permit tcp any host 192.168.1.14 eq 22
access-list 111 permit tcp any host 192.168.1.11 eq www
access-list 111 permit tcp host 65.210.205.254 any eq 22
access-list 111 permit tcp host 65.210.205.209 any eq 22
access-list 111 permit tcp host 12.19.61.34 any eq 22
access-list 111 remark "Deny RFC 1918"
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 remark "Prevent IP Spoofing of Loopback"
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 remark "Prevent using Multicast IP addresses as source"
access-list 111 deny ip 224.0.0.0 31.255.255.255 any
access-list 111 remark "Block broadcast traffic"
access-list 111 deny ip host 255.255.255.255 any
access-list 111 remark "Block Wildcard traffic"
access-list 111 deny ip host 0.0.0.0 any
access-list 111 remark "Block ICMP"
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any time-exceeded
access-list 111 deny icmp any any
access-list 111 remark "Allow Kevin in"
access-list 111 permit ip host 24.125.46.48 any
access-list 111 deny ip any any
If someone can indicate where I have incorrectly constructed this list; pls let me know. Thank You.
