IP NAMED EXTENDED ACL with Wild Card Masking using
TCP IP and ICMP Protocol
NOTE DNS Configuration should be done on Server, namely an
A or Host resource record must be created.
In PC , DNS server IP must be added and in the URL, A Record
name should be used rather than numerical IP as we are
resolving... wonder how PTR records behave...
1.Only UDP works and UDP Port only on DNS Server.
2.Either Client side or Server side but port should be
UDP not TCP.
3.Only Server DNS UDP Port.
Router(config)#ip access-list extended 110
Router(config-ext-nacl)#1 deny tcp 192.168.1.0 0.0.0.7 host 192.168.2.2 eq 80
Router(config-ext-nacl)#2 deny ip 192.168.1.11 0.0.0.7 host 192.168.2.2
Router(config-ext-nacl)#3 deny icmp 192.168.1.20 0.0.0.7 host 192.168.2.2
Router(config-ext-nacl)#4 deny udp 192.168.1.24 0.0.0.7 host 192.168.2.2 eq domain
Router(config-ext-nacl)#5 permit ip any any
NOTE UDP IS BLOCKED AS IT IS ON CLIENT SIDE
Note UDP can be blocked on other side also incoming on
Router2 port g0/1
Router2 port g0/1
Router(config)#access-list 110 deny udp any eq 53 any
Router(config)#access-list 110 permit ip any any
Router(config)#int g0/1
Router(config-if)#ip access-group 110 in
Others to note: NOte UDP OSPF etc
Router(config-ext-nacl)#1 permit ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram
Note also DNS used ,configuration is on PC's
and Server
53 -DNS SERVER(TCP), DNS Clinet (UDP)
NOTE TO BLOCK the site opening on the PC's UDP must be
blocked in the ACL not TCP as UDP is DNS Client
and Server
53 -DNS SERVER(TCP), DNS Clinet (UDP)
NOTE TO BLOCK the site opening on the PC's UDP must be
blocked in the ACL not TCP as UDP is DNS Client
No comments:
Post a Comment