From: Ron Trunk (rtrunk@xxxxxxxxxxxxx)
Date: Fri Jul 09 1999 - 14:43:49 GMT-3
If you're running 12.0, you could use reflexive access-lists for
telnet and not open up all other ports.
In a "real-world" network, you would put your FTP and other public
hosts on a DMZ net (B3). That would let you make connections without
opening up the rest of the network.
Ron
9 days...
-----Original Message-----
From: Ben Rife <brife@bignet.net>
To: ccielab@groupstudy.com <ccielab@groupstudy.com>
Date: Friday, July 09, 1999 1:19 PM
Subject: Access-List Problem
4 days and counting....
netA1
|
| <--- inbound Access-list
netA2-----routerA----------routerB--------netB2
|
|
netB1
Question, what does the access-list look like if you want to do the
following:
1. Permit telnet only if originated from netA2
2. Permit ftp only if established from netB2
3. Permit tftp both ways
4. Deny SMTP and WWW
5. Permit ping from everywhere
This is what I came up with as a solution. Is it correct? It leaves
many open ports, etc. Is there another way to handle the incomming
telnet and tftp sessions other than the way I did it? Is there a case
for "established" here? Please scrutinize my logic here.
access-list 101 permit udp any any eq tftp permit tftp out
access-list 101 permit icmp any any permit ping any to
any
access-list 101 deny tcp any any eq smtp deny smpt any to any
access-list 101 deny tcp any any eq www deny www any to any
access-list 101 permit tcp netB2 any eq ftp permit ftp netB2 to
any
access-list 101 permit udp any any gt 1023 permit tftp reply
out
as well as snmp
reply 4 example
access-list 101 permit tcp netB2 netA2 gt 1023 permit incomming
telnet session
and all other tcp
sessions not
explicitly denied
earlier
for example, ftp
is allowed
access-list 101 permit udp any any eq rip incase that intf has
a rip neigh
Benjy Rife
MCSE, CNE, CCIE Candidate
brife@bignet.net
www.bignet.net/~brife
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:41 GMT-3