Have a question or want to start a discussion? Post it! No Registration Necessary. 
Now with pictures!
Threaded View
Subject
- Ammad Shah
November 2, 2008, 6:38 pm
Reply
Save
Print
Dear All,
I am using Remote-vpn to connect work place. but i want to limit that
user to be able to access only
two server 172.16.10.45 and 172.16.10.46 (web/80) . for that i created
acl but its not working,
i can access all services on these system.
My wan interface is fa0 , and when i connect to work place , pool
assigns me ip address 192.168.81.10.
ACL implemnented on FA0 in. where as servers are on fa1.1 (vlan 1).
ip access-list extended webout
permit tcp any 192.168.81.0 0.0.0.255 established
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.45 eq www
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.45 eq 8080
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 eq www
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 range 8080 8099
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 range 3380 3390
deny ip any any
where is the problem ?
I am using Remote-vpn to connect work place. but i want to limit that
user to be able to access only
two server 172.16.10.45 and 172.16.10.46 (web/80) . for that i created
acl but its not working,
i can access all services on these system.
My wan interface is fa0 , and when i connect to work place , pool
assigns me ip address 192.168.81.10.
ACL implemnented on FA0 in. where as servers are on fa1.1 (vlan 1).
ip access-list extended webout
permit tcp any 192.168.81.0 0.0.0.255 established
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.45 eq www
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.45 eq 8080
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 eq www
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 range 8080 8099
permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 range 3380 3390
deny ip any any
where is the problem ?
Re: Cisco VPN and Access-list ?
the established keyword, doesnt' tear down existing connections however,
so did you reconnect AFTER you applied the list to see if it worked or not ?
also maybe its applied in the wrong direction, or to the wrong interface...
one other thing that I am a bit uncomfortable with is the range keyword
used for ports.
I haven't used the ACLs in a while, and CISCO's site, only shows the
time-range command,
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ipnamacl
Ammad Shah wrote:
Site Timeline
- » Making The Pirate Bay obsolete
- — Next thread in » Cisco Certification
-
- » "show ip interface brief" output
- — Previous thread in » Cisco Certification
-
- » Multiple Jobs Corp - Corp. Windows Data Access Management - Information Security &...
- — Newest thread in » Cisco Certification
-
- » Fire Stop/Block
- — The site's Newest Thread. Posted in » CCTV, Alarms and other Physical Security
-
XML Sitemap