[geeks] cisco router access lists
Kurt Huhn
kurt at k-huhn.com
Fri Dec 13 17:35:34 CST 2002
Would someone mind helping me out and taking a look at the script
below? It's supposed to setup access lists inbound and outbound to
allow only authorized connections - but for some reason it denies
connections everywhere (or perhaps let them out, but not back in?).
This has got me totally stumped, and it's not like I've never done this
before either, so I'm incredibly frustrated right now.
begin router script
-------------------
! erase existing outbound filters (if any)
no ip access-list extended filterout
!
ip access-list extended filterout
!
! permit all outbound traffic for now
permit ip any any reflect ipfilter
permit icmp any any reflect icmpfilter
!
! exit filterout access-list config and go back to global config
exit
!
!erase existing inbound filters (if any)
no ip access-list extended filterin
!
ip access-list extended filterin
!
! statefule examination
evaluate ipfilter
evaluate icmpfilter
!
! http rules
permit tcp any host 65.222.52.2 eq 80
permit tcp any host 65.222.52.4 eq 80
permit tcp any host 65.222.52.5 eq 80
permit tcp any host 65.222.52.8 eq 80
permit tcp any host 65.222.52.10 eq 80
permit tcp any host 65.222.52.100 eq 80
permit tcp any host 65.222.52.110 eq 80
!
! https rules
permit tcp any host 65.222.52.4 eq 443
permit tcp any host 65.222.52.5 eq 443
permit tcp any host 65.222.52.10 eq 443
permit tcp any host 65.222.52.100 eq 443
permit tcp any host 65.222.52.110 eq 443
!
! ftp rules
permit tcp any host 65.222.52.2 eq 21
permit tcp any host 65.222.52.3 eq 21
permit tcp any host 65.222.52.4 eq 21
permit tcp any host 65.222.52.6 eq 21
permit tcp any host 65.222.52.9 eq 21
permit tcp any host 65.222.52.10 eq 21
permit tcp any host 65.222.52.100 eq 21
permit tcp any host 65.222.52.110 eq 21
!
! smtp rules
permit tcp any host 65.222.52.2 eq 25
permit tcp any host 65.222.52.3 eq 25
permit tcp any host 65.222.52.6 eq 25
permit tcp any host 65.222.52.9 eq 25
permit tcp any host 65.222.52.10 eq 25
permit tcp any host 65.222.52.100 eq 25
permit tcp any host 65.222.52.110 eq 25
!
! dns rules
permit tcp any host 65.222.52.2 eq 53
permit udp any host 65.222.52.2 eq 53
permit tcp any host 65.222.52.3 eq 53
permit udp any host 65.222.52.3 eq 53
permit tcp any host 65.222.52.8 eq 53
permit udp any host 65.222.52.8 eq 53
!
! ssh rules
permit tcp any host 65.222.52.110 eq 22
permit udp any host 65.222.52.110 eq 22
permit tcp any host 65.222.52.100 eq 22
permit udp any host 65.222.52.100 eq 22
permit tcp host 63.87.36.74 any eq 22
permit udp host 63.87.36.74 any eq 22
!
! imap rules
permit tcp host 63.87.36.74 host 65.222.52.100 eq 143
!
! proxy rules
permit tcp host 63.87.36.74 host 65.222.52.2 eq 81
permit tcp host 63.87.36.74 host 65.222.52.3 eq 81
!
! ntp rules
permit tcp any host 65.222.52.2 eq 37
!
!
! vpn rule (testing)
permit ip any host 65.222.52.253
permit tcp any host 65.222.52.253
permit udp any host 65.222.52.253
!
! cleanup rule
deny ip any any
!
!
!return to global config
exit
!
! configure the interfaces
interface Serial0/0
ip access-group filterin in
ip access-group filterout out
exit
interface serial0/1.1
ip access-group filterin in
ip access-group filterout out
exit
!
exit
show running
--
Kurt
kurt at k-huhn.com
More information about the geeks
mailing list