Hello:
Your problem is that every cisco access-list has an implied
deny ip any any
configured as a last rule ( by default) in other words , you do not have
to include it , it is included automatically. So when you applied your
access-list to the serila0 ( outside interface ) for every incoming packet
you permitted only what was specifically permitted and denied everything
else. Hope this helps.
Gerardo,
>
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 gt 1023
> access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 gt 1023
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 22
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 25
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53
> access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53
>
> We allow inbound ssh, smtp and dns queries (plus tcp requests and zone
> transfer requests from our secondary). Response packets are allowed in on
> unpriv ports. Outbound access is not limited at the router (the firewall's
> proxies take care of that) and icmp is unrestricted. In my mind, this list
> is intended as a screen to protect the firewall from Internet nonsense.
>
> I initially placed this list on the serial connection, which is the
> incoming isdn. I had defined it as 'ip access-group 102 in', which
> promptly cut off all access. I then placed it on the ethernet port as 'ip
> access-group 102 out', which appears to work as it should.
>
> Questions:
>
> 1. Why did the first definition not work? I would have thought either
> definition would work the same.
>
> 2. What am I missing here? What else I should include (as a rule), and why?
>
> Cheers!
> Jon
> -----------------------------------------------------------------
> Jon Earle (613) 612-0946 (Cell)
> HUB Computer Consulting Inc. (613) 830-1499 (Office)
> http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
>
> "God does not subtract from one's alloted time on Earth,
> those hours spent flying." --Unknown
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
*******************************************************************************
Ing. Gerardo Soto Casados
Compu-Redes
Labastida # 37 Esq. Tijuana
San Martin Texmelucan Puebla
Tel. y Fax (012)4845888
e-mail: [EMAIL PROTECTED]
http://www.compu-redes.net.mx
*******************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
