[1827] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (Rick Hicks)
Tue Apr 16 02:09:13 1996
Date: Mon, 15 Apr 1996 23:22:57 -0500
To: "Deloach, Scott D. SSgt" <DeloachS@emh.aon.af.mil>,
www-security <www-security@ns2.rutgers.edu>
From: rhicks@MO.NET (Rick Hicks)
Errors-To: owner-www-security@ns2.rutgers.edu
At 04:22 PM 4/15/96 -0400, Deloach, Scott D. SSgt wrote:
>Can Anyone give me an example of what a Cisco access list would look like
>to give incoming access to SMTP access to a single IP and HTTP access to
>another IP and deny everthing else?
In global config mode:
access-list 101 permit tcp any host <your mail relay IP> eq 25
access-list 101 permit tcp any host <your web server IP> eq 80
access-list 101 permit tcp any host <your mail relay IP> established
access-list 101 permit tcp any host <your web server IP> established
In interface config mode for the interface with the Internet, or incoming,
connection:
access-group 101 in
The first two rules allow hosts to open SMTP and HTTP connections to your
specified hosts. The second two allow 'established' connections to continue
communications with the hosts. The last applies the access-group to the
interface, screening packets that are incoming. The Cisco IOS will, by
default, deny all other connections. There are differences in Cisco IOS
versions that may not allow the use of the 'host' or 'any' keywords, so as
always consult your documentation or check out Cisco's web site; all of
their docs are online there.
Rick
__________________________________
Rick Hicks
System Specialist
Hussmann Corporation
