RE: ACL router problem



Hi David,

I did remove first all the access list and them paste it again with the added line above.

thanks

marco


--- On Thu, 10/7/10, David Gillett <gillettdavid@xxxxxxxx> wrote:

From: David Gillett <gillettdavid@xxxxxxxx>
Subject: RE: ACL router problem
To: "'Juan B'" <juanbabi@xxxxxxxxx>, "'security basics'" <security-basics@xxxxxxxxxxxxxxxxx>
Date: Thursday, October 7, 2010, 6:11 PM
   HOW did you "add
the first line"?  If all you did was type in that line
as an addition to the config, you added a new LAST line,
after the explicit
deny of all, where it can't make any difference.
  To insert a new line at the top as you want, you
need to:

1. remove the ACL from the interface
2. delete the ACL
3. Paste the new ACL -- the whole thing, in order
4. apply the ACL to the interface

(I use a home-grown tool that scripts this process...)

David Gillett, CISSP CCNP


-----Original Message-----
From: Juan B [mailto:juanbabi@xxxxxxxxx]
Sent: Thursday, October 07, 2010 14:40
To: security basics
Subject: ACL router problem

Hi ALL !!

I need to connect from a host (192.168.8.139)in the lan to
host 192.168.1.15
so I put acl like this: ( I added the first line )

access-list 111 permit tcp host 192.168.8.139 any
access-list 111 permit tcp 192.168.0.0 0.0.255.255 host
192.168.8.2 eq
telnet
access-list 111 permit tcp host 192.168.8.7 any
access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq
www
access-list 111 permit udp 192.168.0.0 0.0.255.255 any eq
domain
access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq
443
access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq
5900
access-list 111 permit ip host 192.168.8.198 any
access-list 111 permit ip host 192.168.8.199 any
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any source-quench
access-list 111 permit icmp any any time-exceeded
access-list 111 deny   icmp any any
access-list 111 permit tcp any any established
access-list 111 deny   ip any any log

take a look also at line 3 of the acl this host is the
internal mail server,
from that mail server when I try to connect to host
192.168.1.15 there is no problem !!! so I made a similar
entry to enable
connection from my host (192.168.8.139) but It doesnt work
!! I know its a
problem of the ACL beacuse when I remove this ACL (which is
applied to vlan
1 BTW) the connection works!!

please help !
marco





------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we
examine the importance of Apache-SSL and who needs an SSL
certificate.  We
look at how SSL works, how it benefits your company and how
your customers
can tell if a site is secure. You will find out how to
test, purchase,
install and use a thawte Digital Certificate on your Apache
web server.
Throughout, best practices for set-up are highlighted to
help you ensure
efficient ongoing management of your encryption keys and
digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------






------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • ACL blocking dns
    ... i got a problem where when I bind the following acl inbound my dns ... I even tried ip access-group 101 out ... access-list 101 permit tcp any host 69.71.225.56 eq smtp ...
    (comp.dcom.sys.cisco)
  • Re: ACL blocking dns
    ... access-list 101 permit tcp any any eq domain ... Your original ACL allows inbound DNS queries, ... I even tried ip access-group 101 out ... access-list 101 permit tcp any host 69.71.225.56 eq smtp ...
    (comp.dcom.sys.cisco)
  • Re: Question about ACL
    ... >access-list inside permit tcp any host 192.168.1.20 eq 6900 ... >does need to rebuild all ACL configuration? ...
    (comp.security.firewalls)
  • Question about ACL
    ... access-list inside permit tcp any host 192.168.1.20 eq 6900 ... does need to rebuild all ACL configuration? ...
    (comp.security.firewalls)
  • Re: PIX VPN help.
    ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)