Perhaps this might be a place for context based access control ( CBAC ) as
well. I am very new to this, having just put a CBAC up on my multipurpose
router which is doing duty as my new firewall. Let me try to explain this
without referring to the book.
With CBAC, essentially one has two access lists. One on the trusted side,
one on the untrusted side. The outbound traffic ( trusted to untrusted )
punches holes in the access list per conversation. Those holes are open only
during the course of the conversation. So in your case, you might have an
access list inbound on the untrusted side denying all ip traffic. On the
trusted side, your access list would define what was and was not permitted
to move from the trusted to untrusted side. The CBAC is activated by the
"inspect" command, which tells the router to inspect all traffic defined in
the trusted side access list, and open holes based on that list. These holes
close upon the end of a conversation or based on configurable timeout
values.
Note - in a production network, one must take care that there are means for
routing protocol updates to occur. Or one must be content with the trusted
side being a stub network.
More information can be found in Held & Hundley's Cisco Access List Field
Guide or on CCO at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
t/120t3/fw7200.htm
Watch the word wrap
HTH
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John
Neiberger
Sent: Wednesday, July 05, 2000 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: Access Lists
Extended ACLs place the source address first, so that line should read:
access-list 101 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
Even this won't have the entire desired effect. This may prevent the setup
of TCP connections, but UDP traffic from the 192.168 network could travel
freely to the 10 network. Because the nature of IP is send/reply, it's
difficult to implement an access list that has the desired effect without
breaking something else. In this case, it's difficult to limit access to 10
without breaking 10's access to 192.168.
Hmm....perhaps this might be an opportune time to find a place for that
"established" ACL keyword. :-)
Still pondering,
John Neiberger
> Why don't you just use one access list on the 192.168.x.x network router
to
> deny it from seeing any traffic from the 10 network?
>
> eg.
> #access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
> #access-list 101 permit any any
>
> Apply this outbound to the 192.168.x.x interface and you should be set.
> This will allow traffic from the 10 netwk to get to the 192.168 netwk but
> will deny 192.168 from getting to 10.
>
>
> Vijay Ramcharan, MCSE, CCNA
>
>
> -----Original Message-----
> From: Asad Jafari [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 05, 2000 12:27 PM
> To: [EMAIL PROTECTED]
> Subject: Access Lists
>
>
> Hello All,
>
> I've configured a 2611 for routing in between two different LAN's. One is
a
> 10.0.0.0 and the other is 192.168.0.0. I have configured access lists for
> this. I want the 10.0.0.0 network to see the 192.168.0.0 network. I don't
> want the 192.168.0.0 network to see the 10.0.0.0 network. I have been
> playing with it but can't get it to work. Either it will block both sides
or
> open both.
>
> Any help will be really appreciated.
> Thanks in advance,
>
> Asad Jafari.
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
