I have R1, R2, and R3, and I want to use access-lists to effectively help create a security policy that I can apply to R2.
I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow all traffic to exit the inside network, but do not want any unsolicited traffic from the outside network to be allowed in. I have EIGRP running between the three routers, and I want that to remain operational. Additionally, R1 is running HTTP services that I want to allow R3 to access.
This requires an ACL that I will apply to the outside interface of R2.
ip access-list extended INWARD
permit eigrp any any
permit tcp any host 10.1.12.1 eq www
permit tcp any 10.1.0.0 0.0.255.255 established
interface serial0/1
ip access-group INWARD in
Once the ACL is applied, I can no longer ping or telnet to R1 from R3.
*Sep 10 04:25:25.153: %SYS-5-CONFIG_I: Configured from console by console
R3#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#telnet 10.1.12.1
Trying 10.1.12.1 ...
% Destination unreachable; gateway or host down
No rule was added to allow ICMP, nor telnet. However, I can copy a file using http.
R3#copy http://jason:cisco@10.1.12.1/c1841-adventerprisek9-mz.124-24.T3.bin null:
Loading http://***********@10.1.12.1/c1841-adventerprisek9-mz.124-24.T3.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now I'll telnet from R1 to R3
R1#telnet 10.1.23.3
Trying 10.1.23.3 ... Open
User Access Verification
Password:
R3>
On R2 I see hits under the ACL established entry allowing return tcp packets back.
R2#show ip access-list
Extended IP access list INWARD
10 permit eigrp any any (264 matches)
20 permit tcp any host 10.1.12.1 eq www (2688 matches)
30 permit tcp any 10.1.0.0 0.0.255.255 established (12 matches)
No comments:
Post a Comment