| |
|
Welcome to the HEXUS.community discussion forums forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and other features. By joining our free community you will have access to post topics, respond to polls and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! |
|
|||||||
Networking and Broadband ADSL, cable, internet and network advice and chat  |
 |
|
|
LinkBack | Thread Tools |
16-04-2005, 02:45 AM
|
#1 (permalink) |
|
Old is gold
Join Date: Jul 2003
Location: Notts, UK
Posts: 208
Thanks: 0
Thanked 0 Times in 0 Posts
|
Cisco access list problem
Calling all Cisco bods.
Having a bit of a 'mare with this access list/security issue... any help appreciated! Have spent far too many hours over the past few days trying to get it to work, I am pretty sure the problem lies in me not understanding the wildcard masks correctly. Diagram of the network can be found here - http://www.thebeef.org/network.JPG The goal is to do the following: 1) Prevent machines from within Boaz LAN (172.23.0.0/5) from accessing anything other than fileserver 1. 2) Machines on Center LAN can access anywhere on the network 3) Routers can access anywhere The first thing I tried was to setup an extended ACL that denied all traffic unless its destination was the fileserver... and apply this to fa0/0 inbound on Boaz. ACL user: access-list 150 permit ip any host 172.23.48.2 (access-list 150 deny ip any any) ip access-group 150 in This achieved goal 1 (machines on Boaz could not ping anything but the fileserver). However, only the file server could ping within the Boaz LAN  .I also tried a number of other ACL’s based around the following: permit ip any host 172.23.48.2 deny ip 172.23.80.0 0.0.0.254 any permit any ip any The way I read the above is as follows. 1) Any traffic going to the fileserver is allowed. 2) Any traffic sourced within Boaz LAN (other than what was allowed by (1) ) is denied. 3) The remaining traffic (anything sourced from outside Boaz) is allowed to pass through the Ethernet port. (I.e. pongs initiated by WS2). However this did exactly the same, and again only fileserver 1 could ping within the LANs. Am I missing something blatantly obvious here guys? If anyone could help that would be awesome, as I'm pulling me hair out!  Cheers |
|
|
|
16-04-2005, 06:52 PM
|
#2 (permalink) |
|
Drone #467234
Join Date: Jul 2003
Location: C:\Windows
Posts: 1,750
Thanks: 9
Thanked 38 Times in 30 Posts
|
I'm not a Cisco ACL expert, but I have experience with firewall configuration (and intend to be taking Cisco training in the future)...
Is the problem that you are dropping ANY packet from the Boaz LAN other than (anything) to the file server - including replies to inbound connection attempts? Is there a way to tell the ACL that you only want to block [SYN] packets from Boaz machines, so new connections can't be established from those machines? (You will have to handle ICMP separately of course, with "permit icmp any any" or something.) Alternatively, block only connections from the Boaz LAN to destination ports <1024 (after the "permit traffic to file server 1" rule).
There is no IRL... only AFK
My Site This signature (c)2006 Copywrong Paul Adams. All rights wronged, all wrongs reversed. |
|
|
|
|
| Breadcrumb | ||||||
|
||||||
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| XFX 6800GT Problem | nvisage | SCAN.care@HEXUS  |
45 | 06-08-2006 11:28 PM |
| VB.NET Compact Framework List View Problem | Spud1 | Software and web development | 1 | 08-04-2005 10:54 PM |
| Very stange problem! | gobby | Help - technical & advisory | 2 | 28-08-2004 04:20 PM |
| weird cisco vpn problem! | scottyman | Help - technical & advisory | 6 | 15-06-2004 09:35 AM |
| DVI problem, pc won't start! help needed. | snowwolf | Graphics cards and Monitors | 0 | 27-01-2004 05:01 PM |
