[prev in list] [next in list] [prev in thread] [next in thread]
List: inet-access
Subject: Re: simple cisco q
From: Andy Walden <andy () tigerteam ! net>
Date: 2000-12-29 2:22:39
[Download RAW message or body]
I would expect under Filters - Input Filters you could fill it out like
this:
Type=IP
Src Mask=0.0.0.0
Src Adrs=0.0.0.0
Dst Mask=255.255.255.255
Dst Adrs=proxy-ip
Protocol=4
Src Port Cmp=None
Src Port #=N/A
Dst Port Cmp=Eql
Dst Port #=8080
TCP Estab=N/A
Then do a similar filter allowing your own network. I didn't test this.
andy
On Thu, 28 Dec 2000 netlink@netlinkcorp.com wrote:
> A 6000 series Lucent NAS
>
> R. Hall
>
>
> Andy Walden wrote:
> >
> > This would be a 4xxx/6xxx or a TNT?
> >
> > andy
> >
> > On Thu, 28 Dec 2000 netlink@netlinkcorp.com wrote:
> >
> > > I am looking to do something very similar but with
> > > an Ascend/Lucent NAS. Anyone have a list or reference available?
> > > Thanks.
> > > -------
> > > R. Hall
> > > NET-LINK Corp.
> > >
> > >
> > >
> > >
> > > Tim Wolfe wrote:
> > > >
> > > > If you didn't include a permit statement, you will block everything.
> > > > Remember, Cisco ACLs have an implied "deny ip any any" at the end... What
> > > > you probably need is more like:
> > > >
> > > > !
> > > > access-list 101 deny any host a.b.c.d eq 8080 log
> > > > access-list 101 permit ip any any
> > > > !
> > > > int serial 0/0
> > > > ip access-group 101 in
> > > > !
> > > > end
> > > >
> > > > Notice that the proxy port 8080 has to be the destination port, not source.
> > > > It is also usually a good idea to log who is trying to do Bad Things(tm)...
> > > >
> > > > HTH,
> > > >
> > > > --Tim
> > > >
> > > > =============================================
> > > > Timothy M. Wolfe CCNA, NSA
> > > > Sr. Security Engineer tim@ignw.com
> > > > InfoGroup Northwest 541.485.0957 x108
> > > > =============================================
> > > >
> > > > -----Original Message-----
> > > > From: jp@pour.midcoast.com [mailto:jp@pour.midcoast.com]
> > > > Sent: Thursday, December 28, 2000 2:58 PM
> > > > To: list@inet-access.net
> > > > Subject: simple cisco q
> > > >
> > > > Are there any mailing lists for cisco routers? I am aware of a cisco-NAS
> > > > list.
> > > >
> > > > Anyway, here's a stupid little question about access lists. I'm trying to
> > > > block offsite internet users from using a proxy server - a.b.c.d port
> > > > 8080. It's blocking it, and everything else too, so that's a problem.
> > > >
> > > > Obviously, I messed something up in the access-list command, but can't
> > > > figure out what. (The proxy server does not let me control who can access
> > > > it)
> > > >
> > > > TIA,
> > > > Jason
> > > >
> > > > zoombrew3(config)#access-list 101 deny tcp any eq 8080 host a.b.c.d log
> > > > zoombrew3(config)#^Z
> > > > zoombrew3#conf t
> > > > Enter configuration commands, one per line. End with CNTL/Z.
> > > > zoombrew3(config)#int serial0/0
> > > > zoombrew3(config-if)#ip access-group 101 in
> > > >
> > > > zoombrew3(config-if)#^Z
> > > >
> > > > now the whole a.b.c.0/24 doesn't work for anything.
> > > >
> > > > zoombrew3#conf t
> > > > Enter configuration commands, one per line. End with CNTL/Z.
> > > > zoombrew3(config)#int serial0/0
> > > > zoombrew3(config-if)#no ip access-group 101 in
> > > > zoombrew3(config-if)#^Z
> > > >
> > > > back to normal......
> > > >
> > > > grep'd from the running config:
> > > > access-list 101 deny tcp any eq 8080 host 12.25.52.5 log
> > > >
> > > > -
> > > > List archives can be found at: <http://www.moongroup.com/inet.php>
> > > > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > > > Eat sushi frequently. inet@inet-access.net is the human contact address.
> > > > -
> > > > List archives can be found at: <http://www.moongroup.com/inet.php>
> > > > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > > > Eat sushi frequently. inet@inet-access.net is the human contact address.
> > > -
> > > List archives can be found at: <http://www.moongroup.com/inet.php>
> > > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > > Eat sushi frequently. inet@inet-access.net is the human contact address.
> > >
> >
> > -
> > List archives can be found at: <http://www.moongroup.com/inet.php>
> > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > Eat sushi frequently. inet@inet-access.net is the human contact address.
> -
> List archives can be found at: <http://www.moongroup.com/inet.php>
> Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> Eat sushi frequently. inet@inet-access.net is the human contact address.
>
-
List archives can be found at: <http://www.moongroup.com/inet.php>
Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
Eat sushi frequently. inet@inet-access.net is the human contact address.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic