www.unix.org.ua

[jfraasch]

I have not done a whole lot of access-lists before.
I have Cisco 3560 switch and I need to add an access-list. Basically I have six servers that are logged into remotely:

10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6

Users are able to SSH to the servers from the Corporate LAN. However, when people get to the servers I need to make sure they get locked down. Once logged in, I don't want them to be able to SSH, Telnet, or FTP from those boxes to another part of the network. I don't care if they monkey around on the actual subnet, but I just don't want them to be able to source SSH/FTP/Telnet from those boxes to another part of the network.

Understanding that SSH is used to reach the servers, how can I (or can I) lock this down with an access-list.


Thanks in advance for any help you can provide.
James

[jon_marshall]

James

access-list 101 deny tcp host 10.0.0.1 any eq 21
access-list 101 deny tcp host 10.0.0.1 any eq 22
access-list 101 deny tcp host 10.0.0.1 any eq 23
etc.. for each 10.0.0.x host
access-list 101 permit ip any any

then on the vlan interface for 10.0.0.x network - access-group 101 in

Note that the permit ip any any at the end allows all other traffic from the 10.0.0.x network including traffic from the servers 10.0.0.1 -> 6 that isn't ftp/ssh or telnet out to the rest of the network.


Jon

[jfraasch]

Thanks for the quick reply.
Would this however block the ability of 10.0.0.1 to SSH/Telnet to 10.0.0.2?


James

[jon_marshall]

James

No it wouldn't which i think is what you want. It will only affect traffic leaving the 10.0.0.x subnet for other subnets.


Jon

[jfraasch]

Duh, that's what the "in" means. Like I said, access-list impaired over here!
Perfect. Again thanks for the help.


James