[EMAIL PROTECTED] wrote: > > If I am thinking of this correctly and thinking from the Point > of View of > the packet, traffic that leaves my PC leaves with a random > source port to a > well known (most of the time) port such as port 80. So I think > that the "eq > 80" needs to go after the second "any" to signify destination > port of 80 as > such: > > access-list 100 permit tcp any any eq 80
Depends on your security policy. He said he wanted to block port 80 transmitting, implying a source port of 80. This might be a policy for a network where internal users aren't allowed out, but there is a Web site that outside users access. It's sort of far-fetched which is why everyone asked him are you sure this is what you meant. Anyway, securing a network is a big topic. Once he has figured out what his policy is, he should start with Cisco documents such as Cisco IOS Security Config Guide: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm Cisco Security Architecture for Enterprise Networks: http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html He should also apply all the latest patches on his Exchange Server. Without those, it won't matter what he does on the router. If it's a public server, you have to let people in. But with the latest patches you can hopefully keep them from doing anything other than what you want them to do. A simple access list where the Exchange Server's address is 1.1.1.1 and it runs mail, Web, SSL, and DNS, might look like: access-list 150 remark outgoing traffic on int where server resides access-list 150 permit icmp any any access-list 150 permit tcp any 1.1.1.1 0.0.0.0 eq smtp access-list 150 permit tcp any 1.1.1.1 0.0.0.0 eq www access-list 150 permit tcp any 1.1.1.1 0.0.0.0 eq 443 access-list 150 permit udp any 1.1.1.1 0.0.0.0 eq domain access-list 150 permit tcp any 1.1.1.1 0.0.0.0 eq domain If you also want this server to be able to get out to the Net (like to download those patches), you could add: access-list 150 permit tcp any any established Then, finally add this at the end to log denied packets access-list 150 deny ip any any log So, no traffic is going to this server except services that you allow. There's probably way more than just that you might want to do though, and I did all that off the cuff, so hopefully there aren't mistakes, but you get the gist, hopefully. The bottom line is that you need to figure out your policy, study your protocols, study the options available to you, and then start writing access lists. And do those patches! ;-) Priscilla > > > > > Thanks, > > Mario Puras > SoluNet Technical Support > Mailto: [EMAIL PROTECTED] > Direct: (321) 309-1410 > 888.449.5766 (USA) / 888.SOLUNET (Canada) > > > > -----Original Message----- > From: Sabertech Cisco Training [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 30, 2002 4:16 PM > To: [EMAIL PROTECTED] > Subject: RE: Cisco 1700 Access List [7:59975] > > > To allow out only traffic sourced from TCP port 80: > > ! > access-list 100 permit tcp any eq 80 any > ! > interface serial 0 > ip access-group 100 out > ! > > That's how you would do it, but it's extremely unusual > to suppress traffic based on source ports... > > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of > James Gruggett > Sent: Monday, December 30, 2002 12:27 PM > To: [EMAIL PROTECTED] > Subject: Cisco 1700 Access List [7:59975] > > > Hi Everyone, > > I have a 1700 Cisco router connected to a T1. I would like to > lock it > down and only allow port 80 to transmitt data for security > purposes. > > Any suggestions would be great. > > > Thanks > > [GroupStudy.com removed an attachment of type text/x-vcard > which had a name > of james.gruggett.vcf] > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59996&t=59975 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
