'Re: simple cisco q'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       inet-access
Subject:    Re: simple cisco q
From:       Andy Walden <andy () tigerteam ! net>
Date:       2000-12-29 2:22:39
[Download RAW message or body]


I would expect under Filters - Input Filters you could fill it out like
this:

Type=IP
 Src Mask=0.0.0.0 
 Src Adrs=0.0.0.0 
 Dst Mask=255.255.255.255
 Dst Adrs=proxy-ip   
 Protocol=4
 Src Port Cmp=None     
 Src Port #=N/A  
 Dst Port Cmp=Eql  
 Dst Port #=8080      
 TCP Estab=N/A

Then do a similar filter allowing your own network. I didn't test this.

andy

On Thu, 28 Dec 2000 netlink@netlinkcorp.com wrote:

> A 6000 series Lucent NAS
> 
> R. Hall
> 
> 
> Andy Walden wrote:
> > 
> > This would be a 4xxx/6xxx or a TNT?
> > 
> > andy
> > 
> > On Thu, 28 Dec 2000 netlink@netlinkcorp.com wrote:
> > 
> > > I am looking to do something very similar but with
> > > an Ascend/Lucent NAS. Anyone have a list or reference available?
> > > Thanks.
> > > -------
> > > R. Hall
> > > NET-LINK Corp.
> > >
> > >
> > >
> > >
> > > Tim Wolfe wrote:
> > > >
> > > > If you didn't include a permit statement, you will block everything.
> > > > Remember, Cisco ACLs have an implied "deny ip any any" at the end...  What
> > > > you probably need is more like:
> > > >
> > > > !
> > > > access-list 101 deny any host a.b.c.d eq 8080 log
> > > > access-list 101 permit ip any any
> > > > !
> > > > int serial 0/0
> > > >  ip access-group 101 in
> > > > !
> > > > end
> > > >
> > > > Notice that the proxy port 8080 has to be the destination port, not source.
> > > > It is also usually a good idea to log who is trying to do Bad Things(tm)...
> > > >
> > > > HTH,
> > > >
> > > > --Tim
> > > >
> > > > =============================================
> > > >       Timothy M. Wolfe  CCNA, NSA
> > > >  Sr. Security Engineer  tim@ignw.com
> > > >    InfoGroup Northwest  541.485.0957 x108
> > > > =============================================
> > > >
> > > > -----Original Message-----
> > > > From: jp@pour.midcoast.com [mailto:jp@pour.midcoast.com]
> > > > Sent: Thursday, December 28, 2000 2:58 PM
> > > > To: list@inet-access.net
> > > > Subject: simple cisco q
> > > >
> > > > Are there any mailing lists for cisco routers? I am aware of a cisco-NAS
> > > > list.
> > > >
> > > > Anyway, here's a stupid little question about access lists. I'm trying to
> > > > block offsite internet users from using a proxy server - a.b.c.d port
> > > > 8080. It's blocking it, and everything else too, so that's a problem.
> > > >
> > > > Obviously, I messed something up in the access-list command, but can't
> > > > figure out what. (The proxy server does not let me control who can access
> > > > it)
> > > >
> > > > TIA,
> > > > Jason
> > > >
> > > > zoombrew3(config)#access-list 101 deny tcp any eq 8080 host a.b.c.d log
> > > > zoombrew3(config)#^Z
> > > > zoombrew3#conf t
> > > > Enter configuration commands, one per line.  End with CNTL/Z.
> > > > zoombrew3(config)#int serial0/0
> > > > zoombrew3(config-if)#ip access-group 101 in
> > > >
> > > > zoombrew3(config-if)#^Z
> > > >
> > > > now the whole a.b.c.0/24 doesn't work for anything.
> > > >
> > > > zoombrew3#conf t
> > > > Enter configuration commands, one per line.  End with CNTL/Z.
> > > > zoombrew3(config)#int serial0/0
> > > > zoombrew3(config-if)#no ip access-group 101 in
> > > > zoombrew3(config-if)#^Z
> > > >
> > > > back to normal......
> > > >
> > > > grep'd from the running config:
> > > > access-list 101 deny   tcp any eq 8080 host 12.25.52.5 log
> > > >
> > > > -
> > > > List archives can be found at: <http://www.moongroup.com/inet.php>
> > > > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > > > Eat sushi frequently.   inet@inet-access.net is the human contact address.
> > > > -
> > > > List archives can be found at: <http://www.moongroup.com/inet.php>
> > > > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > > > Eat sushi frequently.   inet@inet-access.net is the human contact address.
> > > -
> > > List archives can be found at: <http://www.moongroup.com/inet.php>
> > > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > > Eat sushi frequently.   inet@inet-access.net is the human contact address.
> > >
> > 
> > -
> > List archives can be found at: <http://www.moongroup.com/inet.php>
> > Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> > Eat sushi frequently.   inet@inet-access.net is the human contact address.
> -
> List archives can be found at: <http://www.moongroup.com/inet.php>
> Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> Eat sushi frequently.   inet@inet-access.net is the human contact address.
> 

-
List archives can be found at: <http://www.moongroup.com/inet.php>
Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
Eat sushi frequently.   inet@inet-access.net is the human contact address.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic