Ciscou Router ACL help

G

gigabyte1024

[H]ard|Gawd
Joined
Mar 10, 2001
Messages
2,027
Please have a look at these two ACLs.

In the original ACL, the first 10 lines prevent this network from trying to reach other VPN networks throgh the internet. I've accomplshed the same effect with line 3 from the second ACL, right?

The Host denies are going away, those are omitted in the second ACL on purpose.

I'm implementing a proxy server and want to block everything but my server and the proxy server from accessing the Internet. That's in the second ACL - line 1, 2, & 4.

Can anyone tell me if the above is applied correctly to the new ACL?


ORIGINAL ACCESS LIST 131

Code: 
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.12.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.13.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.14.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.15.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.16.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.17.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.18.0 0.0.0.255
access-list 131 deny   ip host 192.168.10.34 any
access-list 131 deny   ip host 192.168.10.89 any
access-list 131 deny   ip host 192.168.10.33 any
access-list 131 deny   ip host 192.168.10.120 any
access-list 131 deny   ip host 192.168.10.121 any
access-list 131 deny   ip host 192.168.10.122 any
access-list 131 deny   ip host 192.168.10.123 any
access-list 131 deny   ip host 192.168.10.124 any
access-list 131 deny   ip host 192.168.10.125 any
access-list 131 permit ip 192.168.10.0 0.0.0.255 any


NEW ACCESS LIST 131 20070207

Code: 
access-list 131 permit ip host 192.168.10.5 any
access-list 131 permit ip host 192.168.10.15 any
access-list 131 deny ip 192.168.10.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 131 deny 80 any any
access-list 131 permit ip 192.168.10.0 0.0.0.255 any
 
gigabyte1024 said:
Please have a look at these two ACLs.

In the original ACL, the first 10 lines prevent this network from trying to reach other VPN networks throgh the internet. I've accomplshed the same effect with line 3 from the second ACL, right?
Click to expand...

Right.

gigabyte1024 said:
The Host denies are going away, those are omitted in the second ACL on purpose.

I'm implementing a proxy server and want to block everything but my server and the proxy server from accessing the Internet. That's in the second ACL - line 1, 2, & 4.

Can anyone tell me if the above is applied correctly to the new ACL?


ORIGINAL ACCESS LIST 131

Code: 
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.12.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.13.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.14.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.15.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.16.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.17.0 0.0.0.255
access-list 131 deny   ip 192.168.10.0 0.0.255.255 192.168.18.0 0.0.0.255
access-list 131 deny   ip host 192.168.10.34 any
access-list 131 deny   ip host 192.168.10.89 any
access-list 131 deny   ip host 192.168.10.33 any
access-list 131 deny   ip host 192.168.10.120 any
access-list 131 deny   ip host 192.168.10.121 any
access-list 131 deny   ip host 192.168.10.122 any
access-list 131 deny   ip host 192.168.10.123 any
access-list 131 deny   ip host 192.168.10.124 any
access-list 131 deny   ip host 192.168.10.125 any
access-list 131 permit ip 192.168.10.0 0.0.0.255 any


NEW ACCESS LIST 131 20070207

Code: 
access-list 131 permit ip host 192.168.10.5 any
access-list 131 permit ip host 192.168.10.15 any
access-list 131 deny ip 192.168.10.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 131 deny 80 any any
access-list 131 permit ip 192.168.10.0 0.0.0.255 any
Click to expand...

Looks about right.

Note: its been so long since I've dealt with standard access-lists I'm actually a bit rusty. Don't implement anything until you get a second set of eyes to confirm what I've said (or bust it and find something I may have missed).
 
You must log in or register to reply here.
Back
Top