Announcement

Collapse
No announcement yet.

access-list problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • access-list problem

    Hi,

    My Lan is 10.10.10.0/24, my PC is the 10.10.10.15 and the router is 2500 series.

    I want to deny the access to everyone except me to the yahoo 5050. I've tried with these rules:

    access-list 125 permit tcp host 10.10.10.15 any eq 5050 log
    access-list 125 deny tcp any any eq 5050 log

    interface serial1:
    ip access-group 125 out

    -------------

    I receive these logs in the router but I can't connect me:

    %SEC-6-IPACCESSLOGP: list 125 permitted tcp 10.10.10.15(1652) -> 216.155.193.137(5050), 1 packet
    %SEC-6-IPACCESSLOGP: list 125 denied tcp 10.10.10.33(1524) -> 216.155.193.170(5050), 1 packet

    I've tried too adding access-list 125 permit tcp any any eq 5050 established as first line without results.

    Can you tell me what I'm doing wrong?

    thanks...

  • #2
    Re: access-list problem

    Hi Efrenba,

    your logs show:

    %SEC-6-IPACCESSLOGP: list 125 permitted tcp 10.10.10.15(1652) -> 216.155.193.137(5050), 1 packet
    %SEC-6-IPACCESSLOGP: list 125 denied tcp 10.10.10.33(1524) -> 216.155.193.170(5050), 1 packet

    Summary:
    -10.10.10.15 is permitted out to 216.155.193.137 on 5050 (router source port was 1652)
    -10.10.10.33 is denied out to to 216.155.193.137 on 5050 (router source port was 1524)

    Based on what you've told us, isn't this what you wanted to do? Bear in mind the following:

    -I'm not sure what application runs on 5050 (Yahoo Messenger, by any chance?). Is this definitely what you want to block? Are other ports needed for your application? Is the application failing because it maybe needs additional ports?
    -There is an 'implicit deny' at the end of every access-list. Unless you now add on a 'permit' at the end of your list, everything else will be dropped. So, in actual fact, your acl statement "access-list 125 deny tcp any any eq 5050 log" is not presently needed; an implicit deny would suffice.
    (is this what you meant when you said "I receive these logs in the router but I can't connect me:")?

    Can you maybe reply and let us know what you are trying to achieve generally?

    ie, "I want to block access to an application running on...."

    HTH-

    regards,

    theterranaut
    Last edited by theterranaut; 4th November 2006, 10:50.

    Comment


    • #3
      Re: access-list problem

      Hi,

      First of all, thanks for your time and patience.

      I want to block access to Yahoo Messenger to all users on my lan except me. I need to block only the yahoo messenger access because to the other side of the router are running several applications (http, telnet, ftp, etc).

      What would be the correct ACL to accomplish it?

      Thanks...

      Comment


      • #4
        Re: access-list problem

        No problem Efrenba, thank you for coming back!


        So: your lan is 10.10.10.0/24, your PC is 10.10.10.15 and your router is a Cisco 2500 series device.

        You want to:
        (1)permit access to yourself to Yahoo Messenger (tcp 5050):
        (2)deny access to everyone else to Yahoo Messenger (tcp 5050):
        (3)allow some other outbound traffic (examples given were http, telnet, ftp)

        So, an acl set to accomplish this could be:

        (1)access-list 125 permit tcp host 10.10.10.15 any eq 5050 log
        (2)access-list 125 deny tcp any any eq 5050 log
        (3)access-list 125 permit tcp any any eq 80 log
        (4)access-list 125 permit tcp any any eq 23 log
        (5)access-list 125 permit tcp any any eq 21 log

        And finally, apply the access-group on an interface, in a direction:

        (6)interface serial1:
        (7)ip access-group 125 out


        Alternatively, you could just allow (1), deny (2), and permit everything else: this might be the best thing to do first until you know exactly all the applications you have running out there:

        (1)access-list 125 permit tcp host 10.10.10.15 any eq 5050 log
        (2)access-list 125 deny tcp any any eq 5050 log
        (3)access-list 125 permit ip any any log
        (4)interface serial1:
        (5)ip access-group 125 out

        try these out and let me know how you get on,

        regards,

        theterranaut

        Comment


        • #5
          Re: access-list problem

          Hi Efrenba,
          u r putting ur access-list wrong. At the end of all access list there is explict deny. so we should end our access list using permit statement. your access list contains deny at end of list
          ================================================== ======
          access-list 125 permit tcp host 10.10.10.15 any eq 5050 log
          access-list 125 deny tcp any any eq 5050 log

          interface serial1:
          ip access-group 125 out
          ================================================== ===
          This deny in last of list droping all your packet. so write your access list that has permit in the end
          your access list should end with statement
          access-list 125 permit ip any any

          Comment


          • #6
            Re: access-list problem

            Glad we agree on this, Ahmer.

            Have you had a chance to test yet, Efrenba?

            regards,

            theterranaut

            Comment


            • #7
              Re: access-list problem

              Hi friends,

              I've not forgotten. Tomorrow morning I'll try again, then I'll tell you

              Thanks....

              Comment


              • #8
                Re: access-list problem

                Hi,

                I tested the rules as you told me, and they worked great!!!.

                Thank you very much...

                Comment


                • #9
                  Re: access-list problem

                  Glad to have been able to help, Efrenba. Ahmer will also be pleased to hear this.

                  regards,

                  theterranaut

                  Comment

                  Working...
                  X