topic access-list problem ? in Network Security

access-list problem ?

ramon — Tue, 12 Mar 2019 01:05:02 GMT

Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.

Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.

What am I missing ?

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 15000
no logging console
!
no aaa new-model
!
clock timezone CET 1 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 172.17.1.1 172.17.1.30
ip dhcp excluded-address 172.17.1.240 172.17.1.254
ip dhcp excluded-address 172.17.3.1 172.17.3.30
ip dhcp excluded-address 172.17.3.240 172.17.3.254
!
ip dhcp pool VLAN1
network 172.17.1.0 255.255.255.0
domain-name r1.local
default-router 172.17.1.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
!
ip dhcp pool VLAN100
network 172.17.3.0 255.255.255.0
domain-name r1_Guest
default-router 172.17.3.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
!
!
ip domain name r1.lan
ip name-server 212.54.40.25
ip name-server 212.54.35.25
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!

!
!
object-group network temp

description dummy addresses
1.1.1.1 255.255.255.0

2.2.2.2 255.255.255.0
!
object-group network vlan1-lan
172.17.1.0 255.255.255.0
!
object-group network vlan100-guest
172.17.3.0 255.255.255.0
!
object-group network ziggo-dns
host 212.54.40.25
host 212.54.35.25
!

!
redundancy
!
!
!
!
ip ssh version 2
!

!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description r1.local lan
ip address 172.17.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description Vlan100 r1_Guest
encapsulation dot1Q 100
ip address 172.17.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.17.2.0 255.255.255.0 172.17.1.253
!
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip any object-group vlan100-guest
access-list 102 permit ip any any log

access-list 103 deny ip any object-group vlan1-lan
access-list 103 permit ip any any

access-list 104 permit tcp any any eq 22
access-list 104 permit udp any any eq snmp

access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp object-group temp any echo
access-list 104 permit icmp 172.17.1.0 0.0.0.255 any

access-list 104 deny ip any any log
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
login local
no activation-character
no exec
transport preferred none
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
login local
transport input ssh
!
scheduler allocate 20000 1000
end

access-list problem ?

Maykol Rojas — Mon, 25 Feb 2013 23:21:16 GMT

Hi Ramon,

What is the purpose of the ACL? The question goes beucase there are sometings wide opened there. Basically, what is happening is that when the traffic goes out, the reply is being denied by the ACL. It really depends on what you want to block back in.

Let us know what is the purpose of the ACL and then we can give you suggestions to modify the ACL.

Mike

access-list problem ?

ramon — Tue, 26 Feb 2013 11:47:42 GMT

Hello Maykol,

The purpose of the acl 104 is to restrict the public interface to allow monitoring from for example the temp object network group to the router.

Idea is to filter public internet --> public router.

As you mentioned already when the acl 104 is applied to the int 0/0 things get blocked.

Later i will adjust the acl 102 and 103 to allow the 2 subnets only specific ports/protocols.

Can you give me a idea how to setup what i want ?

Thanks !

access-list problem ?

Maykol Rojas — Tue, 26 Feb 2013 17:24:27 GMT

Allow them Inbound? Well, there is an easy fix for this instead of modifying the ACL.

Do the following,

Ip inspect name FW tcp

Ip inspect name FW udp

Ip inspect name FW icmp

interface GigabitEthernet0/1

ip inspect FW in

Apply the ACL and let us know.

Mike

access-list problem ?

ramon — Wed, 27 Feb 2013 00:05:29 GMT

Hello,

I applied the rules and that works.

Only thing i have now.

Reboot router.

Interface 0/0 gets no dhcp address from isp.

I have to remove the 104 in from int 0/0

Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01

Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.

Maybe i have to put in a static ip address on int0/0 ?

Thanks for your help !

access-list problem ?

Maykol Rojas — Wed, 27 Feb 2013 00:28:54 GMT

Hi Ramon,

Modify the following;

No ip inspect name FW udp

Ip inspect name FW udp router-traffic

Mike

access-list problem ?

ramon — Wed, 27 Feb 2013 07:54:10 GMT

Ok i will try this today.

Last questions

1) Can you provide me a rule for the acl 102 that allows the subnet 172.17.1.0 to only http, https inside --> outside

2) Can you provide me a rule for a local server to only allow smtp

3) The NAT rules for this

Thank you !!

access-list problem ?

ramon — Wed, 27 Feb 2013 20:07:27 GMT

Ok :

the dhcp was the following problem :

access-list 104 permit udp any any eq bootpc

Now the int 0/0 gets an ip after a reboot of the router.

Also i put the :

ip inspect FW in

ip inspect FW out

on int 0/0 0/1 and 0/1.1

Changed the acl 102 and acl 103 to allow specific traffic and all works fine now !

Thanks for helping me out !!