Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List as firewall

Status
Not open for further replies.
akonwar

akonwar

Technical User
Jun 16, 2003
26
IN
I have a cisco 1751 v router 10.77.37.1 connected to my internal network. I have a internet gateway router as 10.77.37.10 also connected to the same lan. The internet router is a coyote linux dial on demand box which allows everything to go out including udp broadcasts. My problem is i want to control traffic to internet gateway by diverting it through my router and using a accesslist to control what is forwarded to 10.77.37.10 say preventing udp packets.
my setup is like this
lan----cisco1751------eth------internetrouter(dhcp)-------isp

there is a static route in my router as
ip route 0.0.0.0 0.0.0.0 10.77.37.10 (my internet router)

how to write the access list and on which interface to apply so that only one computer on lan say 10.77.37.12(proxy cache) should be able to access network and all other s computers should be denied. 2nd question, what is the difference between standard and extended ip access lists.
 
Sort by date Sort by votes
I take it that the Internet router is also a firewall, and it handles NAT etc?

To deny UDP traffic from your LAN to the Internet router:

access-list 100 deny udp any any
access-list 100 permit ip any any
LAN interface
ip access-group 100 in

This simple ACL drops all UDP traffic, as the list is parsed top down. A UDP packet is matched on the first line so it gets dropped. Any other traffic goes out via the 1751 router.

To make it a little more complex, drop all UDP but allow any remaing IP packets from proxy:

access-list 100 deny udp any any
access-list 100 permit ip host 10.77.37.12 any
LAN interface
ip access-group 100 in



The standard ACL matches IP source addresses only, you cannot specify protocols or ports.
An extended can match on both source and destination IP address, IP protocol, and source and destination ports.

 
Upvote 0 Downvote
Will the above setup allow dns querys from the proxy to internet. Is that required for able to see internet from clients. My internet router knows about dns. It also takes care of nat etc.
 
Upvote 0 Downvote
You would have to use IP-helper for the DNS I do believe.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
97
burtsbees
burtsbees
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
290
CDIV
CDIV
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
85
dmourghen
dmourghen
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
469
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top