How access-lists effect interface traffic

[br0ck]

I have this config and I want to apply access-l 103 to the serial0 interface (inbound) now is that going to effect other inbound traffic to the other ip’s on just the citrixpubip
I basically want to plug the holes to the citrix server and not deal with the other ip’s. I also included a port scan of the citrixpubip at the bottom of the page

(config)
interface Ethernet0
ip address 192.168.200.254 255.255.255.0
ip nat inside
no ip route-cache
!
interface Serial0
description 128K Lease Line
ip address xx.xx.xx.xx 255.255.xxx.xxx
ip access-group 103 in <----------- this is what I want to do.
ip nat outside
no ip route-cache
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static 192.168.200.32 nonepubip
ip nat inside source static 192.168.200.3 citrixpubip
ip nat inside source static 192.168.200.1 lotuspubip
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.12.0 255.255.255.0 192.168.200.253
ip http server
!
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 101 permit tcp any host 1600pubip established
access-list 101 permit tcp any host lotuspubip eq smtp
access-list 101 permit tcp any host lotuspubip eq 1352
access-list 101 permit tcp any host citrixpubip eq 1494
access-list 101 permit tcp any eq ftp host 1600pubip gt 1023 established
access-list 101 permit tcp any gt 1023 host 1600pubip gt 1023 established
access-list 101 permit icmp any any

access-list 103 permit icmp any any ß- allowing ping in (will be removed)
access-list 103 deny tcp any host citrixpubip eq 25 <--Blocking
access-list 103 deny tcp any host citrixpubip eq 135 <--Blocking
access-list 103 deny tcp any host citrixpubip eq 139 <--Blocking
access-list 103 deny tcp any host citrixpubip eq 445 <--Blocking
access-list 103 deny tcp any host citrixpubip eq 2301 <--Blocking
access-list 103 deny tcp any host citrixpubip eq 8080 <--Blocking
access-list 103 permit tcp any host citrixpubip eq 3389 <-- allowing RDP traffic in
access-list 103 permit tcp any host citrixpubip eq 1494 <-- Allowing citrix traffic in
access-list 103 permit udp any host citrixpubip eq 1604 <-- Allowing citrix traffic in
!
line con 0
exec-timeout 0 0
password
login
transport input none
line vty 0 4
password
login
!
end

(port scan)
C:\Documents and Settings\bmowry>fscan -b citrixpubip
FScan v1.14 - Command line port scanner.
Copyright 2002 (c) by Foundstone, Inc.

http://www.foundstone.com

No ports provided - using default port list file: &quot;fscanports.txt&quot;
Failed to open the port list file &quot;fscanports.txt&quot;
No port list file found - using built-in TCP list:
10,11,15,21,22,23,25,42,43,53,66,70,79,80,81,88,109,111,113,115,118,119,135,
139,143,150,156,256,259,389,396,427,443,445,465,512,513,514,515,524,593,799,900,
1024,1080,1214,1243,1313,1352,1433,1494,1498,1521,1524,1541,1542,1723,2000,2001,
2003,2049,2140,2301,2447,2766,2998,3268,3300,3306,3389,4045,4321,5556,5631,5632,
5800,5801,5802,6000,6112,6667,7000,7001,7002,7070,7947,8000,8001,8010,8080,8100,
8800-8900,9090,10000,12345,20034,30821,32700-32900

Scan started at Tue Apr 08 13:56:52 2003

Citrixpubip 139/tcp
.....
citrixpubip 1494/tcp
..ICA.
citrixpubip 8080/tcp
HTTP/1.1 400 Bad request..Server: Citrix Web PN Server..Date: Tue, 08 Apr
2003 17:59:07 GMT..Connection: Close....
citrixpubip 25/tcp
citrixpubip 135/tcp
citrixpubip 445/tcp
citrixpubip 2301/tcp
citrixpubip 3389/tcp

Scan finished at Tue Apr 08 13:57:03 2003
Time taken: 398 ports in 10.506 secs (37.88 ports/sec)


Please pass any suggestions on

thanks in advance

 

[benzito]

The Access List will filter ALL incoming packets. It appears you want to filter incoming packets destined for certain ports on your citrix server. This is fine, just remember that Access Lists include an implicit &quot;deny all&quot; at the bottom - meaning that whatever you haven't explicitly allowed will be denied. For example, the following acl will block the citrix ports you've specified as well as all ICMP requests. It will allow all other traffic.

!
access-list 103 deny tcp any host citrixpubip eq 25
access-list 103 deny tcp any host citrixpubip eq 135
access-list 103 deny tcp any host citrixpubip eq 139
access-list 103 deny tcp any host citrixpubip eq 445
access-list 103 deny tcp any host citrixpubip eq 2301
access-list 103 deny tcp any host citrixpubip eq 8080
access-list 103 deny icmp any any
access-list 103 permit ip any any
!

 

[gman10]

What portscan tools do you recommend and could you give me an example on how you'd use one to scan a series of ports simultaneously... I need to check our 2600 routers for any foul play so I thought to use Sniffer Pro or EtherPeek and try to filter out a variety of stuff BUT I've never used a portscan tool before.. Any help would be greatly appreciated!

GT

 

[wybnormal]

For a real check use either NMAP or Nessus against the router. A quicky check can be had by something like Superscan or Netscan. Be warned the faster scans can sometimes lock up the target because of how the scan is conducted. It is possible to do a stealthy scan by using either the FIN or SYN bits set on the IP handshake packets.

MikeS

Find me at

http://www.packetattack.com

&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu

 

[br0ck]

i use fscan from

http://foundstone.com

it's a simple CLI scanner and it's free!