Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1866
Views
4
Helpful
5
Replies

Access-list on 804 ISDN Router

Go to solution
rlr685rlr
Level 1
Level 1

‎09-16-2005 05:59 AM

I have a rural customer using an 804 ISDN router for a simple four

workstation LAN to WAN connection. The customer wishes to deny access from

one workstation to the WAN.

I have a standard access-list that permits the internal network "out", of

course. I have a dialer-list 1 protocol ip list 100 to prevent dial out

activation by netbios "hello's", etc. And I have an extended access-list

"in" and applied to the dialer interface to stealth ports.

I've tried standard access-lists, extended access-lists (following rules of number of access-lists permitted in or out, etc.), changing dialer list

arguments, applying lists to e0 as well as the common sense interface and I

either block all of the workstations from the WAN, or all workstations

including the one to be blocked still have access to the WAN.

Is there something about the 804 and software (v12) that doesn't allow single

workstation denied access out?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-16-2005 12:01 PM

I do not have direct experience with the 804 router and so can not answer your question from experience. But I think that it is very unlikely that there is something about the 804 or its software that would not allow you to deny a single workstation.

The dialer list 1 protocol ip list 100 is not the place to try to deny the traffic. It only would prevent traffic from bringing up the link. Once the link is up the traffic from the workstation would be able to flow. I would think that an access list inbound on the interface where the workstations connect would be the optimum solution. And I think it should work to include it in the extended list in on the dialer.

Perhaps if you supplied some information about the topology and what you have configured in the access lists we could find an answer to your issue.

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-16-2005 12:01 PM

I do not have direct experience with the 804 router and so can not answer your question from experience. But I think that it is very unlikely that there is something about the 804 or its software that would not allow you to deny a single workstation.

The dialer list 1 protocol ip list 100 is not the place to try to deny the traffic. It only would prevent traffic from bringing up the link. Once the link is up the traffic from the workstation would be able to flow. I would think that an access list inbound on the interface where the workstations connect would be the optimum solution. And I think it should work to include it in the extended list in on the dialer.

Perhaps if you supplied some information about the topology and what you have configured in the access lists we could find an answer to your issue.

HTH

Rick

HTH

Rick

Go to solution
rlr685rlr
Level 1
Level 1
In response to Richard Burts

‎09-16-2005 04:47 PM

Thanks mate,

I thought this would be so easy that I didn't record what lists and interface apps weren't working, so I think I became disorganized and never did use:

access-list 2 deny xxx.xxx.xxx.xxx

access-list 2 permit any

int e0

ip access-group 2 in

Kind of "Cisco Access Lists 101" in a classroom sort of way, isn't it?

I have a little trouble following the logic of packet flow through the 804 ISDN router, too. And I tend to shy away from doing much on the Ethernet interface because physically, four Ethernet interfaces are available but logically, only Ethernet 0 is available. Another confusing point for me. (More like a hub, really.)

Anyway, the simplicity of a standard access-list that could be applied and removed easily, instead of rewriting (copying from text editor) the long list of extended access-lists allows me to show the customer how to self-help a little, too.

Rick

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to rlr685rlr

‎09-16-2005 05:30 PM

Rick

I think I take it from your response that my answer helped you get to a solution that worked. Is that right?

If so I will emphasize your point that it is helpful to be clear about what works and what does not. And if I misunderstand, then we need to circle round and tackle it again.

Packet flow on almost any router gets more simple if you think from the perspective of the router (on any particular interface) what addresses would logically be source addresses (address of packets that flow from end stations to the router) and everything else must be destination addresses.

I agree that it is somewhat more complex if the device has multiple physical interfaces (ports) and some (or one) logical interfaces. But when this is the case access lists can only work on logical (layer 3) interfaces.

I am not sure how to respond to your comment comparing standard and extended access lists. It is true that standard access lists are conceptually more simple than extended access lists. But the process of changing and maintaining them is quite similar. To make changes you must remove the existing access list and then create the new version of the access list.

HTH

Rick

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
rlr685rlr
Level 1
Level 1
In response to Richard Burts

‎09-16-2005 07:15 PM

Your suggestion to use the e0 "in" resolved the problem.

A number of us administrators would save some time if we just activated the log or the "capture text" every time we're configuring, instead of assuming, "It's going to be easy-no log necessary." I wasn't leaving myself an audit of what wasn't working.

Oh, application of standard versus extended access-lists are essentialy the same task as far as I'm concerned. However, my customer was a little overwhelmed when he saw me copying about 15 lines of extended access-list statements from a text editor and pasting them to the router CLI, and then entering a few more commands. The standard access-list being two lines seemed to put him at ease that he could bring the workstation online to the WAN on the weekends, without my help. Still the same copy and paste function-but you know how things can be perceived by the novice.

Thanks again. I "red checked" the topic and maxed the rating.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to rlr685rlr

‎09-17-2005 07:31 AM

Rick

I agree that perception drives things for users and customers and they may perceive a short list as easy and safe where they think a longer list is more complex and therefore more dangerous. And if a short standard list does what is necessary so much the better.

I do appreciate the rating.

Keep up your participation in the forums.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card