Re: Access lists

From: Trendkill <jpmason@xxxxxxxxx>
Date: Tue, 13 Nov 2007 12:15:18 -0000

On Nov 13, 6:42 am, njwhitwo...@xxxxxxxxx wrote:

Hello there,

I have a question about access lists. We have a simple network
topology with 2 x 2811 routers interconnected by their eth0/0
interfaces. We have a development network hanging off the eth0/1
interface of router A and a production network hanging off the eth0/1
interface of router B.

We require hosts on the production network to be able to ssh and http
to the development environment. However, we do not want the
development machines to initiate connections to the production
environment. I have applied an outbound access list on the eth0/0
interface of router B allowing traffic to the development environment.
I have also applied an inbound access list on the same interface
denying the development vlans any traffic. This seems to be blocking
the reply traffic for the connections initiated from teh production
environmet - is this expected? How can I allow connections from
clients on the production network through to the dev environment but
block connections being initiated from the dev environment?

Thanks,
Nick

Very simply, you need to poke holes in the inbound ACL for telnet/
ssh. The ACLs are black/white mechanisms, and will deny or allow
whatever you set, and have no understanding of sessions like NAT/PAT.
That being said, I would consider using a single access-list on the
inbound of E0/0 on Router A allowing telnet/ssh and nothing else.
Even if the dev servers initiated a connection outbound, it would not
be allowed back in, and this would work smoothly. The only risk of
course is someone running a service on port 22 in your production farm
and connecting to it from dev, but even your solution would allow this
to happen. Just my 2 cents.

.

References:
- Access lists
  - From: njwhitworth

Prev by Date: Access lists
Next by Date: Re: Cisco Switch/Router configuration help.
Previous by thread: Access lists
Next by thread: Re: Access lists
Index(es):
- Date
- Thread

Relevant Pages

Re: Wireless networking for my home xp900
... wire very inconvenient for network connectivity. ... Does this give you more robust router capabilities on a Linksys? ... If you are used to a *real* router, the Linksys is pretty lame. ... The static addresses allow me to make telnet or ftp connections without having to go to the console to find out what the machine's address is today. ...
(comp.os.vms)
Re: Network help anyone?
... the control panel select Network connections, ... reboot your router so it clears its DHCP cache and reassigns to ... and then reboot your computer. ...
(microsoft.public.windowsxp.general)
Re: Cant connect to 2003 server from XP after bridging NICS
... Before I bridged the Nics I could open a share on the ... Since you have a router, you should not need ICS (routers that provide ... generally do Network Address Translation as well). ... Open Network Connections. ...
(microsoft.public.windows.server.general)
Re: Windows XP Networking Question (with Linksys Home VPN Router)
... You bought one router. ... to share this router in a wireless network? ... you don't need to be thinking of VPN - you can be all on the same ... and the other's set up 'outgoing connections' to connect to it. ...
(microsoft.public.isa.vpn)
Access lists
... We have a development network hanging off the eth0/1 ... interface of router A and a production network hanging off the eth0/1 ... to the development environment. ...
(comp.dcom.sys.cisco)