[Previous] [Next] [Index]
[Thread]
Re: Cisco access control
Rick Hicks wrote:
>
> At 04:22 PM 4/15/96 -0400, Deloach, Scott D. SSgt wrote:
>
> >Can Anyone give me an example of what a Cisco access list would look like
> >to give incoming access to SMTP access to a single IP and HTTP access to
> >another IP and deny everthing else?This is a very strict configuration. Make sure that you don't want any outgoing connections
going through this router. If you do want outgoing connections, email me for more help.
If all you want is an access list for a router which only connects an email server
and a Web server to the Internet, then read on...
>
> In global config mode:(That is, after doing an enable, and then doing a "conf t")
>
> access-list 101 permit tcp any host <your mail relay IP> eq 25
> access-list 101 permit tcp any host <your web server IP> eq 80
> access-list 101 permit tcp any host <your mail relay IP> established
> access-list 101 permit tcp any host <your web server IP> established
>
> In interface config mode for the interface with the Internet, or incoming,
> connection:
>
> access-group 101 in
>
> The first two rules allow hosts to open SMTP and HTTP connections to your
> specified hosts. The second two allow 'established' connections to continue
> communications with the hosts. The last applies the access-group to the
> interface, screening packets that are incoming. The Cisco IOS will, by
> default, deny all other connections. There are differences in Cisco IOS
> versions that may not allow the use of the 'host' or 'any' keywords, so as
> always consult your documentation or check out Cisco's web site; all of
> their docs are online there.
While Rick's configuration will do what you want, it will also let a lot of other
connections that you don't need in and out...
Here is my recommendation:
access-list 101 permit tcp any gt 1023 host <your mail host IP> eq 25
access-list 102 permit tcp host <your mail host IP> eq 25 any gt 1023 established
access-list 101 permit tcp any gt 1023 host <your web host IP> eq 80
access-list 102 permit tcp host <your web host IP> eq 80 any gt 1023 established
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any ttl-exceeded
access-list 101 permit icmp any paramter-problem
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any ttl-exceeded
access-list 102 permit icmp any paramter-problem
access-list 101 deny ip any any log
access-list 102 deny ip any any log
For the interface that you want to filter on:
access-group 101 in
access-group 102 out
(Do your filtering on the interface closest to the Internet)
Here is what all that means:
There are two access-lists: 101, for incoming packets, and 102 for outgoing.
The first line allows a connection from any client to your mail server.
The second line allows the data to be passed back.
The third line allows a connection from any client to your web server.
The fourth line allows the data to be passed back.
The icmp lines allow only the most important icmp packets to pass in and out.
The second to last line denies any other packets trying to come in (and logs them... email me for more info.)
The last line denies any other packets going back out (which prevents a lot of other things that you don't want to worry about.)
Also, the router will translate all known ports into English. For example,
it will translate 25 into smtp and 80 into www.
Try that out... You will probably find that it is a bit too restrictive, but that's how you learn
what you want.
This is a secure setup, but it's better to be secure than sorry.
Louie
louie@arsnet.com
References: