08-12-2008 04:49 AM
I have 2 subnets 10.x and 1.x with a router between them
I have a pix on the 1.x network that does the NATing for both the 10 and 1 networks to access the internet.
I want 2 computers from the 10.x network to be able to access the 1.x computers but do not want the 1.x computers to access the 10.x computers
here is my access list that i have right now
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
ip access-group 100 out
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
interface Ethernet1
ip address 192.168.10.1 255.255.255.0
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1 permanent
logging buffered 4096 debugging
no logging console
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any host 192.168.1.1
access-list 100 permit ip any host 192.168.1.199
access-list 100 permit ip host 192.168.10.29 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.10.35 192.168.1.0 0.0.0.255
access-list 100 permit ip any 192.168.100.0 0.0.0.255
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
I was thinking i need to create a 101 access-group deny any INCOMING
Any ideas
Thanks
Bill
08-12-2008 05:17 AM
Hi Bill,
It depends on what IOS do you have on the router.
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip any any
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
interface Ethernet1
ip access-group 101 in
ip inspect FIREWALL out
If you can enter the lines below, you have an IOS that supports statefull firewall, and also you got yourself the first statefull firewall.
To better understand how it works try:
http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdcbac.html#wp1002187
Please rate if this helped.
Regards,
Daniel
08-12-2008 05:34 AM
Thanks for the reply its a old router about 5 years old. not relying on the fire wall rules
would
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip any any
get my what i need?
deying incoming traffic from the 1.x network , would this stop my internet traffic where , the pix is on the 1.x its ip 1.1 and how does the access-list 101 permit ip any any need to be there?
Thanks again so much
08-12-2008 09:17 AM
If the IOS is too old, the ACL 101 will not solve your problem, since it will block both the traffic from 1.x to 10.x and the reverse.
There is a way to allow the traffic but is only for TCP traffic:
access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 established
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip any any
Basically, this ACL will allow only the established TCP communication (the one initiated by 10.x) to pass. The traffic initiated by 1.x to 10.x will be blocked.
Please note that this works only for TCP traffic.
For UDP, you need to either deny all or permit all.
Please rate if this helped.
Regards,
Daniel
08-12-2008 07:26 PM
Daniel is right
i just got confised
Hoever
Daniel ACL will allow all 192.168.10.0 to communicate with the 1.x network
while as i can see from his requiremnt he wants only two PC to have that access!!
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.29 established
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.10.35 established
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip any any
and apply it on
interface Ethernet0
ip access-group 101 in
this way will more precise
for your information
it could be don more spesific and secure if u have IOS firewall and configure IOS firewall ZONE-BASED
good luck
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: