can someone check this syntax and advise me of any security problems

[caswcu]

I might encounter?

I believe for each ip I want to allow thru Ill have to add another access-line for their ip

START->>>>

access-list UPS_Outside permit tcp host 69.248.xxx.xxx any eq 22011

access-group UPS_Outside in interface outside

static (inside,outside) tcp interface 22011 192.168.1.150 22011
netmask 255.255.255.255 0 0

END....

 

[LloydSev]

yes, for every IP address you want permitted, you'll need to add another line. As long as the connection is originating from the outside.

Computer/Network Technician
CCNA

 

[caswcu]

thanks lloydserv. you been very helpful! last question was does that pose any security risks the syntax I typed!

 

[LloydSev]

well the biggest thing is... does that external 69.248.*.* IP address need access to every internal host? If not, then I'd limit it to the host it needs access to. To reduce the security risk.

If something bad happens, and your security protocols fall into question, it's always better to have gone farther than needed, than to have people questioning if you went far enough.

Computer/Network Technician
CCNA

 

[caswcu]

lloydsev

isnt the following statement only allowing it to 192.168.1.150

static (inside,outside) tcp interface 22011 192.168.1.150 22011
netmask 255.255.255.255 0 0

 

[LloydSev]

you'll want to specify that in your ACL as well.

Computer/Network Technician
CCNA

 

[caswcu]

can you show me the syntax, Im alittle lost

 

[LloydSev]

access-list UPS_Outside permit tcp host 69.248.*.* host 192.168.1.150 eq 22011

Computer/Network Technician
CCNA

 

[caswcu]

access-list UPS_Outside permit tcp host 69.248.2.2 host 192.168.1.150 eq 22011

access-list UPS_Outside permit tcp host 69.248.4.4 host 192.168.1.150 eq 22011

would allow 69.248.2.2 and 69.248.4.4 in?

 

[LloydSev]

correct, on tcp port 22011 only to internal host 192.168.1.150

Computer/Network Technician
CCNA