Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACLs - Interface Question

Status
Not open for further replies.
cyberspace

cyberspace

Technical User
Aug 19, 2005
968
GB
I'm currently configuring a 3Com 5012 which will be the new default gateway for office PCs.

I have been setting up access control lists to secure the network.

the setup is as follows:

interface Ethernet0/0
ip address 192.168.1.254 255.255.255.0
#
interface Ethernet2/0
ip address 10.0.0.2 255.255.255.252

Eth0/0 is the LAN, eth2/0 is for the connection to an ADSL router to get online.

I'm getting a little confused about ACL directions.

I want to allow only http, https, telnet, ftp and echo services to be able to go out on to the internet, and obviously I want these services to be able to return to the user. However I don't just want anybody telnetting in!

So i thought that this ACL:


acl number 3000
rule 1 permit tcp source 192.168.1.0 0.0.0.255 source-port eq www
rule 2 permit tcp source 192.168.1.0 0.0.0.255 source-port eq ftp
rule 3 permit tcp source 192.168.1.0 0.0.0.255 source-port eq echo
rule 4 permit tcp source 192.168.1.0 0.0.0.255 source-port eq 443
rule 5 permit tcp source 192.168.1.0 0.0.0.255 source-port eq ftp-data
rule 6 permit tcp source 192.168.1.0 0.0.0.255 source-port eq telnet

applied to the eth2/0 interface OUTBOUND would be ok. However with this applied, ping's dont respond from internal PCs even to the eth0/0 address

similarly when i was logged in i applied this acl to the eth0/0 interface INBOUND:

rule 2 permit tcp destination 192.168.1.0 0.0.0.255 destination-port eq echo

I forgot to add telnet so I lost the connection to the router...no big deal

So basically i'm left a little confused as to the direction of ACLs, and how I need to set it up for my requirements. Any advice you can give would be appreciated - basically I just want to know i'm on the right lines and that what i'm doing won't pose a security risk when it goes live. Thanks.


'When all else fails.......read the manual'
 
Sort by date Sort by votes
Best practice with ACLs is to apply them closest to the traffic you want to block. Thus you should have an ACL for the inbound and outbound port and apply both in the "inward" direction. That will allow you to keep your source and destination information correct.
 
Upvote 0 Downvote
Thanks.

I have a default deny policy, and obviously my main concern is for traffic getting IN, rather than out.

Eth2/0 inbound is traffic from the internet

However, is Eth0/0 inbound traffic from the LAN, or traffic from Eth2/0? That's where i'm getting a bit confused.

If I allow say telnet to go out - do I also need a rule to let it back in?

'When all else fails.......read the manual'
 
Upvote 0 Downvote
If you apply an ACL inbound to E0/0 it is blocking traffic from the LAN. If you applay an ACL inbound on E2/0 its is blocking traffic from the Internet.

Thus you are blocking traffic from entering your router from both interfaces
 
Upvote 0 Downvote
Thanks Brian, I thought that was the case.

The main concern in that case is inbound on E2/0

'When all else fails.......read the manual'
 
Upvote 0 Downvote
right, got back on this today and still got a few questions.

If I apply this:

rule 1 permit tcp source 192.168.1.0 0.0.0.255 source-port eq www
rule 2 permit tcp source 192.168.1.0 0.0.0.255 source-port eq ftp
rule 3 permit tcp source 192.168.1.0 0.0.0.255 source-port eq echo
rule 4 permit tcp source 192.168.1.0 0.0.0.255 source-port eq 443
rule 5 permit tcp source 192.168.1.0 0.0.0.255 source-port eq ftp-data
rule 6 permit tcp source 192.168.1.0 0.0.0.255 source-port eq telnet
rule 7 permit tcp source 10.0.0.0 0.0.0.255 source-port eq echo

on the external interface inbound or outbound, I can no longer ping the other router (from the 3com router) on 10.0.0.1

however if I put it on the internal interface outbound, I can ping the other router but if i put it on the internal interface inbound, it cuts off my connection to the router -but I have a rule to allow telnet from the lan?!

As there is a default deny policy, do I need to apply an acl inbound on the external interface? or do i just need to add a blank acl?


'When all else fails.......read the manual'
 
Upvote 0 Downvote
rule 8 permit ip any any
There is an implicit "deny ip any any" at the end.

Burt
 
Upvote 0 Downvote
ah how could I forget the implicit deny!

Quick Q though...is that not a security risk?

'When all else fails.......read the manual'
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sylric
  • Locked
  • Question
Audiocodes Mediant 1000B Routing question
Replies
0
Views
88
Sylric
Sylric
GPz900r
  • Locked
  • Question
OpenDNS has raised a TCP/IP question
Replies
3
Views
160
GPz900r
GPz900r
wlandymore
  • Locked
  • Question
general question about centralized authenticaion
Replies
0
Views
94
wlandymore
wlandymore
vjfl0rin
  • Locked
  • Question
snmpwalk -c ip 1.3.6.1.2.1.2.2.1 interface problem...
Replies
3
Views
135
bnorton916
bnorton916
bnorton916
  • Locked
  • Question
traceroute question
Replies
5
Views
178
edfair
edfair

Part and Inventory Search

Sponsor

Back
Top