Re: access lists [7:13928]

Fri, 27 Jul 2001 23:17:23 -0700 

I would use something like the access-list below and apply it inbound to
your serial interface. Replace the 210.145.3.128 0.0.0.63 with your subnet.
It might be a good idea to log the deny packets to a syslog server.

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.0.0.0 0.127.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 permit tcp any 210.145.3.128 0.0.0.63 established
access-list 101 permit udp any 210.145.3.128 0.0.0.63 gt 1023
access-list 101 permit icmp any 210.145.3.128 0.0.0.63 host-unreachable
access-list 101 permit icmp any 210.145.3.128 0.0.0.63 port-unreachable
access-list 101 permit icmp any 210.145.3.128 0.0.0.63 packet-too-big
access-list 101 permit icmp any 210.145.3.128 0.0.0.63
administratively-prohibited
access-list 101 permit icmp any 210.145.3.128 0.0.0.63 source-quench
access-list 101 permit icmp any 210.145.3.128 0.0.0.63 ttl-exceeded
access-list 101 deny ip any any log


Marc Russell
Network Learning, Inc.
1677 W. Hamlin
Rochester Hills, MI 48309
Work PH# 248-299-8114
Fax# 248-299-7975
Pager# 810-681-0382
Alpha Page (don't put text in the subject area)
[EMAIL PROTECTED]
E-Mail CCIE Boot Camp [EMAIL PROTECTED]
WEB CCIE Boot  Camp www.ccbootcamp.com  (Check us out for CCIE lab exam
preparation)





""Joe Morabito""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> How can you apply an access list to a serial interface to block all
internet
> traffic without disabling the inside people from getting out?
>
> I have a 1720 with the serial deny ip any any  and the ethernet uses an
> inside
> addressing scheme with nat to get to the outside.
>
> But when I apply the deny ip any any and access-group xxx in to the serial
> interface, people can no longer get outside.  Any ideas?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=14038&t=13928
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to