Cisco 1720 Extended Access List

[grberk]

Can someone assist me with setting up and Extended Access List?

I want to block all incoming traffic to the internal side of my router, except for Telnet, SMTP, DNS, POP3, HTTP, SSL, FTP, Terminal Server (3389) and Remote Administrator (4899).

External Address 10.10.1.10 (S0)
Internal Address 172.16.10.1 (F0)

Any assistance would be greatly appreciated. I don't have very good documentation that covers this...

 

[ChrisAC]

Are you running SMTP, SSH, DNS POP3 and FTP servers on your network that you want others out on the internet to be able to access?

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[grberk]

Yes. I need to have access to only the standard Internet-related ports (plus the remote admin), and I don't want anyone to get to any other ports (ie SQL, NETBIOS, etc)...

 

[ChrisAC]

The ACL will need to permit access to the specific addresses that those services run on. You don't want to open up your entire network to all those ports. Also, are you doing NAT on the router to translate global IP's to private 172.16 addresses, or are you port forwarding traffic to internal hosts. For example, I allow port 3389 into my router only from my work IP address and port forward it to my PC (192.168.3.2) so that I can log on to my home PC from the office ...

ip nat inside source static tcp 192.168.3.2 3389 interface ATM0.1 3389
ip classless
!
access-list 105 remark ** Inbound access list to deny port 3389 traffic from any source other than the office **
access-list 105 permit tcp host <office IP> any eq 3389 log
access-list 105 deny tcp any any eq 3389 log
access-list 105 permit ip any any
!

So, I can do Remote Desktop from the office but anyone else attemtpting to access my desktop from any other IP address will be denied by ACL 105.

If I was running other services such as an SMTP server, SSH server etc I could put similar statements in.

To be honest, if you are running a network with all these services running on it then a firewall would be a far better option than a router. It would provide better security and something like a PIX or FW-1 would also provide full stateful inspection. However, if you are looking at doing it &quot;on the cheap&quot; then it can be done on a router, but you have less fuctionality, just simple packet filtering.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[jamin123]

You need to set up a access-list and a NAT static translation for each service.

router(global)#
access-list 174 permit tcp any host 10.10.1.10 0.0.0.0 eq HTTP
access-list 174 permit tcp any host 10.10.1.10 0.0.0.0 eg FTP
access-list 174 deny any any

in F0
ip nat inside source static tcp 172.16.10.1 80 10.10.1.10 80

 

[ChrisAC]

Don't forget that you will need to allow &quot;established&quot; traffic back in as well, otherwise all traffic trom the inside network won't work as the reply will be dropped on the way back in. Router ACL's aren't stateful.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************