Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-List question 2

Status
Not open for further replies.
Raul102801

Raul102801

Technical User
Nov 11, 2002
89
US

Network A NetworkB
Server 192.168.1.2 Server 192.168.10.2

I want to be able to allow anything from Network B to Network A's server 192.168.1.2 and I want server 192.168.1.2 to be able to ping 192.168.10.2 and also connect to it on port XXX

Here is what I did but no luck:

Access-list 101 permit tcp any host 192.168.1.2
Access-list 101 permit icmp any host 192.168.1.2
Access-list 101 permit tcp host 192.168.1.2 host 192.168.10.2 eq 23
Access-list 101 permit icmp host 192.168.1.2 host 92.168.10.2

For interface F0/1
router (config-if) ip access-group 101 in
router (config-if) ip access-group 101 in

Is the problem that the intrface is being designated as in and out as opposed as just in or just out?
 
Sort by date Sort by votes
It depends what router you're applying them to...
On router A...

access-list 101 permit ip 192.168.10.0 0.0.0.255 host 192.168.1.2
int fa0/1
ip access-group 101 in

That will allow only traffic from the 192.168.10.0/24 network only to the server at 192.168.1.2---everything else will be denied.

On router B...

access-list 101 permit tcp host 192.16.1.2 host 192.168.10.2 eq xxx
access-list permit icmp host 192.16.1.2 host 192.168.10.2 echo
access-list permit icmp host 192.16.1.2 host 192.168.10.2 echo-reply
access-list permit icmp host 192.16.1.2 host 192.168.10.2 time-exceeded
access-list permit icmp host 192.16.1.2 host 192.168.10.2 host-unreach
access-list permit icmp host 192.16.1.2 host 192.168.10.2 host-unknown
access-list permit icmp host 192.16.1.2 host 192.168.10.2 packet-too-big
access-list permit icmp host 192.16.1.2 host 192.168.10.2 redirect
access-list permit icmp host 192.16.1.2 host 192.168.10.2 source-quench
access-list permit icmp host 192.16.1.2 host 192.168.10.2 time-exceeded
access-list permit icmp host 192.16.1.2 host 192.168.10.2 unreachable
int fa0/1
ip access-group 101 in

There are many parameters for ICMP, But I would at least do echo, echo-reply, time-exceeded, and unreachable.
This will allow only pings from 192.168.1.2 to 192.168.10.2

Burt
 
Upvote 0 Downvote
Burt
Thanks for your reply.
I only manage router B, router A belong to a vendor and that's why I want to only allow what they need access to and block everything else. Your reply seems to take care of the incoming traffic but how about the outgoing traffic? In in addition to allowing the traffic specified on the access-list you provided I wanted to allow anything from network B to network A regardless of what they are allowing? I would imagine it would be something like :
access-list XX permit tcp 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
I do get confused on where that need to be applied and if it needs to be part of the same access-list or a different one.
 
Upvote 0 Downvote
That would have to be applied on router A---since there is no acl denying traffic from B to A, then all traffic is already allowed. Also, acl 101 on your router will ensure only pings from router A will go through.

Burt
 
Upvote 0 Downvote
well... I thought that whatever I am not permiting is by default denied. It's what's called the implicit deny if I understand correctly. If I don't have an access list, can ping the server on network A from network B but when I apply the ACL you provided, I can no longer ping. That's why I am thinking that unless I specify that I want to allow it, it will be denied.

Again, I am pretty new to this and I might be misunderstanding how it really works.

Thanks for your replies, they are very helpful and very much appreciated.
 
Upvote 0 Downvote
The implicit deny comes in when an acl is created. If there is no acl, everything is allowed through.
Did you want server A to ping server B, or network A to ping network B? Is any other access needed?

Burt
 
Upvote 0 Downvote
Server A needs to be able to ping server B plus access to port 12903. The access-list you provided above takes care of this.
Then, server B traffic needs to be allowed to go through router B to get to server A. I understand that whatever access-list is on router A will determine what will be allowed. The problem is that after applying the access-list above, I can no longer ping server A from server B. Before applying the access-list I could so that makes me think that the access-list I created to allow incoming traffic is blocking the outgoing trafficsince I didn't specify to permit it.
 
Upvote 0 Downvote
Burt
I got this working... the configuration was correct, I made the mistake of testing from the router which we had not included on the config since we did server to server.
My mistake.


Thanks for all your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
244
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
195
burtsbees
burtsbees
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
172
dmourghen
dmourghen
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
643
CDIV
CDIV
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
833
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top