Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL help... 1

Status
Not open for further replies.
dvtestguy

dvtestguy

Technical User
Joined
Dec 8, 2005
Messages
109
Location
US
Server 10.15.8.244 -- C7204 Firewall ACL's (10.115.28.1) -- 10.115.28.20 Proxy -- 10.115.28.3 and 10.115.28.4 PC's.

Set up Firewall ACL's to let 10.115.28.x ping 10.15.8.x, but should not be able communicate in any other way to 10.15.8.x....but 10.15.8.244 should talk to 10.115.28.40

See config below...

int for 7204
interface FastEthernet0/0
ip address 10.115.28.1 255.255.255.0
ip access-group 102 in
ip access-group 103 out
ip nat outside


access-list 102 permit tcp host 10.15.12.40 host 10.115.28.20 eq www

access-list 102 permit tcp host 10.115.28.3 10.15.0.0 0.0.255.255 eq www
access-list 102 permit tcp host 10.115.28.3 10.15.0.0 0.0.255.255 eq 443
access-list 102 permit tcp host 10.115.28.3 10.115.0.0 0.0.255.255 eq www
access-list 102 permit tcp host 10.115.28.3 10.115.0.0 0.0.255.255 eq 443

access-list 102 permit tcp host 10.115.28.4 10.15.0.0 0.0.255.255 eq www
access-list 102 permit tcp host 10.115.28.4 10.15.0.0 0.0.255.255 eq 443
access-list 102 permit tcp host 10.115.28.4 10.115.0.0 0.0.255.255 eq www
access-list 102 permit tcp host 10.115.28.4 10.115.0.0 0.0.255.255 eq 443

access-list 102 permit icmp 10.0.0.0 0.255.255.255 any
access-list 102 permit tcp any 10.0.0.0 0.255.255.255 established


access-list 103 permit icmp 10.0.0.0 0.255.255.255 any
access-list 103 permit tcp 10.115.28.20 255.255.255.255 host 10.15.8.240 eq 80
access-list 103 permit tcp host 10.115.28.3 host 10.115.28.20 eq 80
access-list 103 permit tcp host 10.115.28.4 host 10.115.28.20 eq 80

access-list 103 permit tcp host 10.115.28.20 host 10.115.28.3 established
access-list 103 permit tcp host 10.115.28.20 host 10.115.28.4 established

access-list 103 permit tcp any 10.0.0.0 0.255.255.255 established


 
Sort by date Sort by votes
So to summarise, your requirements are:

1. Allow ICMP ping from 10.115.28.x to 10.15.8.x
2. Deny all other traffic from 10.115.28.x to 10.15.8.x
3. All traffic to be allowed from 10.15.8.244 to 10.115.28.40.

Based on *just* these parameters and using the same acl numbers you are currently using, you need the following:

access-list 102 permit icmp 10.115.28.0 0.0.0.255 10.15.8.0 0.0.0.255 echo
access-list 102 permit tcp host 10.115.28.40 host 10.15.8.244 established
access-list 102 permit udp host 10.115.28.40 host 10.15.8.244 gt 1023
access-list 102 permit icmp host 10.115.28.40 host 10.15.8.244 echo-reply
access-list 102 permit icmp host 10.115.28.40 host 10.15.8.244 echo-reply time-exceeded


access-list 103 permit icmp 10.15.8.0 0.0.0.255 10.115.28.0 0.0.0.255 echo-reply
access-list 103 permit ip host 10.15.8.244 host 10.115.28.40

The last 4 entries in acl 102 are basically to satisfy the last requirement to allow all reply traffic from 10.115.28.40 back to the originating host 10.15.8.244
 
Upvote 0 Downvote
KiscoKid,

Correct on the summary...Would the config you sent be in place of or added to what I already have?

Thanks,
 
Upvote 0 Downvote
The rules I defined are a lot stricter and purely based on the requirements you originally stated.

I just reviewed your original acl's and they are a lot more open and offer additional connectivity between hosts that you haven't mentioned in your requirements (e.g. the http and ssl access between certain hosts).

If the requirements you've outlined are the only connectivity required between these 2 networks, then your original acl's can be removed and you should be able to apply the acl's I've defined.

Hope this helps. Let me know if you need any further clarication on anything.
 
Upvote 0 Downvote
I just realized an ip error...10.115.28.40 should be 10.15.12.40.

[Server 10.15.8.244 -- C7204 Firewall ACL's (10.115.28.1) -- 10.15.12.40 Proxy -- 10.115.28.3 and 10.115.28.4 PC's.]

I do need 80/443 open between hosts 10.115.28.x PC's <-> 10.15.12.40

The main thing I'm trying to accomplish is the 10.115.28.x PC's/hosts can "only" initiate communication to 10.15.8.244 via ports 80/433, but cannot in reverse...i.e., 10.15.8.244 cannot intiate to 10.115.28.x


 
Upvote 0 Downvote
1. Allow ICMP ping from 10.115.28.x to 10.15.8.x
2. Deny all other traffic from 10.115.28.x to 10.15.8.x
3. All traffic to be allowed from 10.15.8.244 to 10.15.12.40.
4. Allow 80/443 between 10.115.28.x <-> 10.15.12.40


 
Upvote 0 Downvote
The 10.115.28.x device is one of the PC's that are NAT'd.

ipExternal="10.15.12.156" ipInternal="10.115.28.5
 
Upvote 0 Downvote
When I enable the ACL's you sent, I lose connectivity to 10.115.28.5 (NAT 10.15.12.156)
 
Upvote 0 Downvote
KiscoKid...any ideas?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question Question
Cisco UC320W Paging Help
Replies
0
Views
712
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
937
BIS
BIS
Mogles49
  • Locked
  • Question Question
Firewall ACL question
Replies
1
Views
363
burtsbees
burtsbees
bfordz
  • Locked
  • Question Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
368
bfordz
bfordz
DigiByte34
  • Locked
  • Question Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
937
DigiByte34
DigiByte34

Part and Inventory Search

Sponsor

Back
Top