|
Home > Archive > CCNA > September 2000 > Access list for port 22.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Access list for port 22.
|
|
|
| Hey all,
I have this situation, I need to let some one access one of our internal boxes. he needs to access he has an IP address of 207.17.117.25 and wants to connect to an internal box of 10.0.0.239 using port 22. Port 22 is an secure telnet port.
My solution is like this creat an access list like
access-list 110 permit tcp 201.17.117.23 host 10.0.0.254 eq 22
Access-list 110 permit any any
10.0.0.254 being the routers external interface
210.17.117.23 being the person externally who wants to access us
thanks... | |
|
| quote:
Originally posted by beenframed:
Hey all,
I have this situation, I need to let some one access one of our internal boxes. he needs to access he has an IP address of 207.17.117.25 and wants to connect to an internal box of 10.0.0.239 using port 22. Port 22 is an secure telnet port.
My solution is like this creat an access list like
access-list 110 permit tcp 201.17.117.25 host 10.0.0.254 eq 22
Access-list 110 permit any any
10.0.0.254 being the routers external interface
210.17.117.23 being the person externally who wants to access us
thanks...
Beenframed,
I think that the list you specified is wrong on two counts. The first line should say :
access-list 110 permit tcp host 201.17.117.23 host 10.0.0.254 eq 22
or
access-list 110 permit tcp 201.17.117.23 0.0.0.0 host 10.0.0.254 eq 22
and the last line as you have it configured will allow anyone else access to all ports, I do not know if this is what you intended.
Slacker71
[This message has been edited by Slacker71 (edited 09-26-2000).] | |
|
| Here's what my access-list on the router looks like....
Standard IP access list 1
permit any
Extended IP access list 101
permit tcp 207.17.117.23 host 10.0.0.239 eq 22
permit tcp any host 10.0.0.1 eq 1723
permit tcp any host 10.0.0.1 eq domain
permit udp any host 10.0.0.1 eq domain
permit tcp any host 10.0.0.1 eq smtp
permit tcp any host 10.0.0.1 eq www
deny tcp any host 10.0.0.1
deny udp any host 10.0.0.1 range 0 65535
permit ip any any
Extended IP access list 110
permit ip any any (2402 matches)
I want to add
access-list 110 permit tcp host 201.17.117.23 host 10.0.0.254 eq 22
that line into it.
So can I put the whole thing into notepad.
And then re enter everything.
I need to do this on interface S0
what ya think.
[This message has been edited by beenframed (edited 09-26-2000).] | |
|
| you can do that, but you're wasting your time. With the permit ip any any, you're already allowing that traffic in to 10.0.0.239
In fact, all traffic is coming through, except that which is denied by the udp and tcp deny statements for traffic going to 10.0.0.1
in short, 10.0.0.1 is evidently secure, except the ports that are allowed. but by the statement "permit ip any any" the rest of the network is wide open
|
|
|
|
|