No announcement yet.

Access-list / Group??

  • Filter
  • Time
  • Show
Clear All
new posts

  • Access-list / Group??


    I am new to Cisco routers, so please bare with me

    I work mostly on Linux systems and the company just purchased a Cisco 2800 Series Router, What I want to ask is can we have a list of internal IP addresses in a group or something like a list and then just allow few ports to that list so the users in the list can only connect to those specified ports on the internet from within the LAN.

    I know it works on a Linux system with IPtables as I am running it already, I don't want the users inside the LAN to have complete access to the internet via NAT.


    list of internal users


    then grant few ports

    permit Group1 eq www
    permit Group1 eq ftp
    permit Group1 eq ssl
    permit Group1 eq telnet

    Any pointers would be highly appreciated.


  • #2
    Re: Access-list / Group??

    Definitely read up on ACLs. They let you do pretty much anything you could ever imagine.

    access-list 100 permit tcp any eq www
    access-list 100 permit tcp any eq ftp
    access-list 100 permit tcp any eq ftp-data
    access-list 100 permit tcp any eq 443
    access-list 100 permit tcp any eq 23
    access-list 100 deny ip any any

    Keep in mind this ACL must be applied correctly to an interface. It can't be at the most external interface because then you're using your public IP address. If that's the case, you can just change it to "permit tcp host [static global IP] any eq xxx". i'm pretty good with ACLs so ask away if you have more questions.

    You can add a log statement to the en of those to log traffic, or you can change them to look at source ports as well. ACLs have TONS of options.

    I know cisco has good articles on ACLs so look into it if you need more that what I've given you.
    Last edited by kornface13; 30th December 2008, 08:04.