|
|
| Lahori-Guy 2004-08-26, 1:45 pm |
| i wanna clarify something..
Three Routers connected in a line like
R1---->R2----->R3
each has an e0 interface and a s0 interface. i wanna apply an acl that will stop telnet traffic to ALL NETWORKS connected to the r3 router and it shouldnt be more than 3 lines long.
ip address are
R2---S0 :192.168.134.2 (connected to R3)
R2---E0 :192.168.128.1 (Ethernet LAN interface)
R3---S0: 192.168.134.1 (connected to R2)
R3---E0: 192.168.11.2 (Ethernet LAN interface)
i dont think we need R1's ip address since the acl should be put on R3.
Thanx for the help in advance guys.
Also another question...
If you wanna allow only ftp traffic(from the internet) to a specific server and deny all the internel networks to it...how would you do it if you had to do it in two lines. | |
| dmaftei 2004-08-26, 2:22 pm |
| Your first question was answered and debated extensively in this forum some time ago -- a couple of months maybe. You shouldn't habe much trouble finding that thread.
Your second question is not clear.
quote:
... and deny all the internel networks to it...
I believe you meant "internal networks", but what's unclear is what is it: the server, or the internet?! | |
| Lahori-Guy 2004-08-26, 11:01 pm |
| the only thing allowed to the server should be ftp access from internet. Sorry for the confusion. And the ACL should be two lines...u can make up any ip address to represent the internal networks. (if needed). | |
| dmaftei 2004-08-27, 1:34 pm |
| I think you can do this in two lines only with the following assumptions:
1. The server is in a subnet of its own (say subnet 192.168.1.0, server address is 192.168.1.1).
2. Everything else in your internal network is in a different subnet (192.168.2.0).
access-list 101 deny tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq ftp
access-list 101 permit tcp any host 192.168.1.1 eq ftp | |
| stnosc 2004-08-28, 9:55 am |
| dmaftei,
I think you should start asking for consulting fees.... | |
| Lahori-Guy 2004-09-02, 10:48 am |
| hey buddy,
thanx a lot for ur help man, but i couldnt find the post you are referring to as far as my other question goes. So could someone provide me some info here about the scenerio that i have listed above.
The only part thats confusing me is how can i disable telnet to ALL THE NETWORKS connected to that router. since the s0 int of one that router is connected to the serial int of another one which is in the same subnet. | |
| dmaftei 2004-09-02, 11:09 am |
| access-list 101 deny tcp any 192.168.134.1 0.0.0.255 eq telnet
access-list 101 deny tcp any 192.168.11.2 0.0.0.255 eq telnet
access-list 101 permit ip any any
Apply outbound on s0 and e0.
The router will accept telnet packets for 192.168.134.x or 192.168.11.x; it will route the packets to s0 or e0 respectively; the packets will hit the access list at s0 or e0 and will be dropped. | |
| Lahori-Guy 2004-09-02, 11:59 am |
| why not apply THAT exact acl as inbound instead of outbound. So the router wont even have to process the packets. They will be dropped as soon as the hit the interface. So the ACL would be applied to both interfaces (s0 and E0) inbound....!!!!
wat do u think. | |
| dmaftei 2004-09-02, 12:33 pm |
| quote:
Originally posted by Lahori-Guy
inbound
That would probably work too, but I didn't give it too much thought. | |
| stnosc 2004-09-02, 12:36 pm |
| Yes, I believe it would be more efficient to apply it inbound for the reason you stated. | |
| SureshHomepage 2004-09-11, 3:07 am |
| Good point Lahori-Guy!
It wouldn't make any real sense if the ACL is applied on outbound. It should be on R3's S0 as inbound. | |
| Lahori-Guy 2004-10-04, 12:23 pm |
| quote:
access-list 101 deny tcp any 192.168.134.1 0.0.0.255 eq telnet
hey dmaftei,
since as u suggested applying it as outbound on serial int on R3, wouldnt that allow incoming telnet connections on that interface from..lets say R2..!!!
it will only deny telnet traffic if its originated from the LAN segmant.
i was just re-reading the whole post and this hit me. 
please excuse me if i m wrong..just wanna clarify. | |
| dmaftei 2004-10-04, 2:06 pm |
| Here's what I said:
quote:
access-list 101 deny tcp any 192.168.134.1 0.0.0.255 eq telnet
access-list 101 deny tcp any 192.168.11.2 0.0.0.255 eq telnet
access-list 101 permit ip any any
Apply outbound on s0 and e0.
So:
- access list 101 has two deny statements, one for s0 and one for e0.
- it should be applied on both s0 and e0.
| |
| Lahori-Guy 2004-10-04, 3:56 pm |
| yes, so if i try telneting to 134 address from RTR2 lets say..i should be able to get through since the ACL is applied outbound only. AND also if i try to telnet from the LAN interface of rtr3, i would be able to get to either the LAN or the Serial interface since the ACL is applied OUTbound.
i m thinking too much man. | |
| dmaftei 2004-10-04, 4:24 pm |
| By applying the access list to interfaces you will not block telnet to the router itself, regardless of how you apply the access list (inbound or outbound). You need to apply the access list to vty lines if you want to do that.
quote:
yes, so if i try telneting to 134 address from RTR2 lets say..i should be able to get through since the ACL is applied outbound only.
The only 134 address to which you could telnet from R2 is 132.1, R3 itself. Again, if you want to deny that put an access list on vty lines.
quote:
AND also if i try to telnet from the LAN interface of rtr3, i would be able to get to either the LAN or the Serial interface since the ACL is applied OUTbound.
If you want to telnet from a host on LAN to another host on LAN, your packets don't go through R3, so the access list is irrelevant. If you want to telnet from LAN to R2 (the 134 subnet) you can't because your telnet will be blocked outbound at s0. If you want to telnet from LAN to R3 you can; if you want to deny that apply an access list on vty lines. | |
| Lahori-Guy 2004-10-04, 5:22 pm |
| yup u r right about applying it to the vty lines but i think that applyin the same acl as inbound would do the trick of blockin the access to R3 and the connected networks as well and is better then applyin it to the vty lines.
thanx for ur time btw, knowledge is the only thing that increases by sharing. | |
| dmaftei 2004-10-04, 8:32 pm |
| quote:
Originally posted by Lahori-Guy
but i think that applyin the same acl as inbound would do the trick of blockin the access to R3 ... is better then applyin it to the vty lines.
I don't think applying the access list inbound on your interfaces will block telnet access to the router. I think you must apply the access list to vty lines to accomplish that. And I'm sure that somebody with actual networking experience will correct me if I'm wrong, so stay tuned. | |
| Lahori-Guy 2004-10-04, 9:11 pm |
| nope. i might disappoint you but i have to tell u that applying that acl on the serial and eth int inbound WILL block telnet access to it and i dont need anybody's opinion for that since i myself have enough networking experience to confirm this. i work with routers from 1700 to 7200 series every day.
Now as far as the original question goes, my sole purpose was to clarify that i m not reading the question wrong. |
|
|
|