I have a network setup with another company. We are joined by a pair of Cisco 1721 routers. We are gathering data from 4 stations on this remote network and only want those 4 stations to have access through the serial port on our end of the network. Is it possible to do this using an access list on my serial0 int? The 4 ip addresses I would like to come through are in 4 different subnets. 192.168.32.69, 192.168.23.52, etc. with a class C Mask. Any suggestions would be helpful.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Access-lists
- Thread starter johnnd
- Start date
You can filter easily on the subnet or by each IP address. The easist list will be numbered from 1-99 and is a plain old IP access list. 100-199 is for extended IP filtering and will let you filter on protocols along with IPs. There are a couple of ways to do the list.. one is to list each IP on it's own.. or if they are consectutive, you could use a wild card mask so it's all done in just one statement.
From a security standpoint, the extended IP list can be made more secure.. so you could say.. let these 4 IPs in.. only allow TCP (or IP or UDP) traffic.. block everything else like ICMP and the so on.
access-list 107 deny ip 211.0.0.0 0.255.255.255 any log
access-list 107 deny ip 210.0.0.0 0.255.255.255 any log
access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
access-list 107 deny icmp any any echo log
access-list 107 deny tcp any any eq finger
access-list 107 permit udp any any eq syslog
access-list 107 permit tcp host 192.168.1.10 any log
access-list 107 permit ip any any
This list blocks on the inbound all private IPs, multicast and a big block from Korea(211.x.x.x 210.x.x.x.). It denys ICMP echos and finger. UDP is permited as long it's SYSLOG and ANY TCP traffic to host 192.168.1.10 is permitted. The final line is to allow all the rest of IP traffic on the interface. The log at the end says the exceptions will be logged which is pointed to the syslog server.
MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
From a security standpoint, the extended IP list can be made more secure.. so you could say.. let these 4 IPs in.. only allow TCP (or IP or UDP) traffic.. block everything else like ICMP and the so on.
access-list 107 deny ip 211.0.0.0 0.255.255.255 any log
access-list 107 deny ip 210.0.0.0 0.255.255.255 any log
access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
access-list 107 deny icmp any any echo log
access-list 107 deny tcp any any eq finger
access-list 107 permit udp any any eq syslog
access-list 107 permit tcp host 192.168.1.10 any log
access-list 107 permit ip any any
This list blocks on the inbound all private IPs, multicast and a big block from Korea(211.x.x.x 210.x.x.x.). It denys ICMP echos and finger. UDP is permited as long it's SYSLOG and ANY TCP traffic to host 192.168.1.10 is permitted. The final line is to allow all the rest of IP traffic on the interface. The log at the end says the exceptions will be logged which is pointed to the syslog server.
MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
- Status
Similar threads
