I have R1, R2, and R3, and I want to use access-lists to effectively help create a security policy that I can apply to R2.
I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow all traffic to exit the inside network, but do not want any unsolicited traffic from the outside network to be allowed in. I have EIGRP running between the three routers, and I want that to remain operational. Additionally, R1 is running HTTP services that I want to allow R3 to access.
This requires an ACL that I will apply to the outside interface of R2.
ip access-list extended INWARD permit eigrp any any permit tcp any host 10.1.12.1 eq www permit tcp any 10.1.0.0 0.0.255.255 establishedinterface serial0/1 ip access-group INWARD inOnce the ACL is applied, I can no longer ping or telnet to R1 from R3.
*Sep 10 04:25:25.153: %SYS-5-CONFIG_I: Configured from console by consoleR3#ping 10.1.12.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)R3#telnet 10.1.12.1Trying 10.1.12.1 ... % Destination unreachable; gateway or host downNo rule was added to allow ICMP, nor telnet. However, I can copy a file using http.
R3#copy http://jason:cisco@10.1.12.1/c1841-adventerprisek9-mz.124-24.T3.bin null: Loading http://***********@10.1.12.1/c1841-adventerprisek9-mz.124-24.T3.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Now I'll telnet from R1 to R3
R1#telnet 10.1.23.3Trying 10.1.23.3 ... Open
User Access Verification
Password:R3>On R2 I see hits under the ACL established entry allowing return tcp packets back.
R2#show ip access-list Extended IP access list INWARD 10 permit eigrp any any (264 matches) 20 permit tcp any host 10.1.12.1 eq www (2688 matches) 30 permit tcp any 10.1.0.0 0.0.255.255 established (12 matches)
No comments:
Post a Comment