Access-List

0 views
Skip to first unread message

GM

unread,
May 16, 2001, 7:56:07 PM5/16/01
to
Hi guys,

I need help with access list on my cisco 2621 and here's a scenario that I'd
like to pass on to you guys for some advice


I'd like to deny access to all traffic whether it's tcp or udp coming from
interface 1's network to interface 2 network but allow all access to
interface 2 network
to access interface 1 network.


Can I do this?

Jason Baker

unread,
May 16, 2001, 9:04:02 PM5/16/01
to
well how about you show us what you have tried first,
then we will be able to tell you where you went wrong
in your attempts, rather than us just tell you how to do
it :).

--
Regards,

Jason

"GM" <George....@Home.com> wrote in message
news:rsEM6.132400$_f3.1...@news20.bellglobal.com...

Jkillion

unread,
May 16, 2001, 10:11:04 PM5/16/01
to
You could create a standard access list and apply it outbound to interface
2.
access-list 10 deny interface1'sIPwithInversemask

The problem you'll run into is hosts on interface 2 will only be able to
access network 1 when they are using UDP apps. If you don't allow TCP acks
to flow from int 1 to int 2, the connection will always timeout.


"GM" <George....@Home.com> wrote in message
news:rsEM6.132400$_f3.1...@news20.bellglobal.com...

pse

unread,
May 16, 2001, 10:25:56 PM5/16/01
to
If you are talking about just a two port router set up. Then you
need to run the Firewall feature set and turn on CBACs to dynamically
create access-lists for your traffic that is exiting your network on
interface 2 and it's return traffic into interface 2. I'm still not
too clear on your set up or exactly what your topology looks like. Get
the "enhanced IP services for Cisco networks" for a good explanation
of CBACs, or read CCO.

On Wed, 16 May 2001 23:56:07 GMT, "GM" <George....@Home.com>
wrote:

Unknown

unread,
May 16, 2001, 11:03:55 PM5/16/01
to GM
GM <George....@Home.com> wrote:

>I'd like to deny access to all traffic whether it's tcp or udp coming
from
>interface 1's network to interface 2 network but allow all access to
>interface 2 network
>to access interface 1 network.
>
>
>Can I do this?

Sure. Have you established an access-list
which is giving you trouble or are you
just starting to develop one?

In either case, just remember the general rule
for access lists is
"ONE (1) protocol PER port PER direction"

mf

unread,
May 17, 2001, 12:04:38 AM5/17/01
to
Probably the best idea is to use an access list on interface 1 inbound that
says only allow pre-established session traffic. This way, only network
sessions that originated from interface 2 are allowed to flow.

mf


GM <George....@Home.com> wrote in message
news:rsEM6.132400$_f3.1...@news20.bellglobal.com...

Dreamer

unread,
May 20, 2001, 7:44:55 PM5/20/01
to
Place an extended access list on 2,s s0/s1 in interface
access-list 101 deny ip (wildcard mask for 1's network/subnet) any
permit ip any any

int s0
ip access-group 101 in

you could also apply the list to 1's s0 out interface specifying denial to
2's network so that way the traffic would not have to travel across the
network

you would have better performance bandwidth that way.

that way all traffic from network 1 is blocked but every thing else is
allowed through


Reply all
Reply to author
Forward
0 new messages