RE: ACL router problem



Hi David,

I did remove first all the access list and them paste it again with the added line above.

thanks

marco


--- On Thu, 10/7/10, David Gillett <gillettdavid@xxxxxxxx> wrote:

From: David Gillett <gillettdavid@xxxxxxxx>
Subject: RE: ACL router problem
To: "'Juan B'" <juanbabi@xxxxxxxxx>, "'security basics'" <security-basics@xxxxxxxxxxxxxxxxx>
Date: Thursday, October 7, 2010, 6:11 PM
   HOW did you "add
the first line"?  If all you did was type in that line
as an addition to the config, you added a new LAST line,
after the explicit
deny of all, where it can't make any difference.
  To insert a new line at the top as you want, you
need to:

1. remove the ACL from the interface
2. delete the ACL
3. Paste the new ACL -- the whole thing, in order
4. apply the ACL to the interface

(I use a home-grown tool that scripts this process...)

David Gillett, CISSP CCNP


-----Original Message-----
From: Juan B [mailto:juanbabi@xxxxxxxxx]
Sent: Thursday, October 07, 2010 14:40
To: security basics
Subject: ACL router problem

Hi ALL !!

I need to connect from a host (192.168.8.139)in the lan to
host 192.168.1.15
so I put acl like this: ( I added the first line )

access-list 111 permit tcp host 192.168.8.139 any
access-list 111 permit tcp 192.168.0.0 0.0.255.255 host
192.168.8.2 eq
telnet
access-list 111 permit tcp host 192.168.8.7 any
access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq
www
access-list 111 permit udp 192.168.0.0 0.0.255.255 any eq
domain
access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq
443
access-list 111 permit tcp 192.168.0.0 0.0.255.255 any eq
5900
access-list 111 permit ip host 192.168.8.198 any
access-list 111 permit ip host 192.168.8.199 any
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any source-quench
access-list 111 permit icmp any any time-exceeded
access-list 111 deny   icmp any any
access-list 111 permit tcp any any established
access-list 111 deny   ip any any log

take a look also at line 3 of the acl this host is the
internal mail server,
from that mail server when I try to connect to host
192.168.1.15 there is no problem !!! so I made a similar
entry to enable
connection from my host (192.168.8.139) but It doesnt work
!! I know its a
problem of the ACL beacuse when I remove this ACL (which is
applied to vlan
1 BTW) the connection works!!

please help !
marco





------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we
examine the importance of Apache-SSL and who needs an SSL
certificate.  We
look at how SSL works, how it benefits your company and how
your customers
can tell if a site is secure. You will find out how to
test, purchase,
install and use a thawte Digital Certificate on your Apache
web server.
Throughout, best practices for set-up are highlighted to
help you ensure
efficient ongoing management of your encryption keys and
digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------






------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------