Extended ACLs

[bmquiroz]

Hi all - Can somone help me with setting up extended ACLs to block open ports. Below is my 2600 router config, I only want to allow ports 21, 25, 110, 80, 53, and 23 to be accessible from the outside. Not sure how to go about doing this.

!
!
!
interface Ethernet0/0
description Private
ip address 10.0.0.3 255.0.0.0
ip nat inside
no ip route-cache
no ip mroute-cache
full-duplex
no cdp enable
!
interface Serial0/0
no ip address
no ip mroute-cache
shutdown
!
interface Ethernet0/1
description Public
ip address dhcp
no ip unreachables
ip nat outside
ip dhcp relay information trusted
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
!
ip nat inside source list 102 interface Ethernet0/1 overload
ip nat inside source static tcp x.x.x.x 80 interface Ethernet0/1 80
ip nat inside source static tcp x.x.x.x 21 interface Ethernet0/1 21
ip nat inside source static tcp x.x.x.x 25 interface Ethernet0/1 25
ip nat inside source static tcp x.x.x.x 3389 interface Ethernet0/1 3389
ip nat inside source static tcp x.x.x.x 22 interface Ethernet0/1 22
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
!
logging trap debugging
logging source-interface Ethernet0/1
logging 10.0.0.8
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
!
line con 0
speed 115200
line aux 0
line vty 0 4
password xxxxx
login
!
!
end

 

[jimmyzz]

SIPIN,
You can start by checking out these cisco docos..

http://www.cisco.com/en/US/products...tion_guide_chapter09186a00800ca5fc.html#14220

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

If you go to the cisco site and do a search for "access-list" you should be able to find more examples for what you need. The simple policy you want to implement is to permit only what you want and deny everything else.

JimmyZ