cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5947
Views
20
Helpful
29
Replies

Access control List

osamafaheem1974
Level 1
Level 1

Hello 

 

I want to create an access control list on a router that does the following:

 

1) access control list to deny all inbound traffic with network addresses matching internal-registered IP address

2) Deny all ICMP echo request traffic 

3) Deny all inbound Microsoft Active Directory 

4) Deny all inbound  Microsoft SQL Server Ports

5) Deny all Microsoft Domain Local Broadcast

6) Allow traffic to SMTP server

7) Allow traffic to internal IMAP Server

 

I have to also remove this 

ip nat inside source list 100 interface Serial1/0 overload from my start-up configuration

 

My Router0 configuration is as under:

Router#show run
Router#show running-config
Building configuration...

Current configuration : 1344 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 ip address 10.1.11.10 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 standby 1 ip 10.1.11.12
 standby 1 priority 110
 standby 1 preempt
!
interface Serial1/0
 ip address 203.1.1.2 255.255.255.0
 ip nat outside
!
interface Serial1/1
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/2
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/3
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/4
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/5
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/6
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial1/7
 no ip address
 clock rate 2000000
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.1.1.1
ip route 10.1.20.0 255.255.255.0 10.1.11.1
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

29 Replies 29

Is the default gateway of the 8.8.8.8 server 8.8.8.1?
Can 8.8.8.8 ping 203.1.1.1?

Which router your traffic is routed out of can you see if traffic is being natted? Ping from one of the PCs and run "show ip nat translations" on the router that traffic is routed through

Yes it can ping 203.1.1.1 and the default gateway is 8.8.8.1

Which router your traffic is routed out of can you see if traffic is being natted? Ping from one of the PCs and run "show ip nat translations" on the router that traffic is routed through

What is the output??

Is that traffic going out of that router you've displayed the ip nat translations for? I'd expect to see a translation for the icmp traffic.

Which router is the primary? Please show the output of "show standby"

Router#show standby
FastEthernet0/1 - Group 1
State is Active
5 state changes, last state change 00:00:27
Virtual IP address is 10.1.11.12
Active virtual MAC address is 0000.0C07.AC01
Local virtual MAC address is 0000.0C07.AC01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.993 secs
Preemption enabled
Active router is local
Standby router is 10.1.11.11, priority 100 (expires in 6 sec)
Priority 110 (configured 110)
Group name is hsrp-Fa0/1-1 (default)

Please upload the running-config

Router#show running-config
Building configuration...

Current configuration : 2205 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$Hx2QiWoH8y5il7TEorRvk/
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 10.1.11.10 255.255.255.0
ip nat inside
duplex auto
speed auto
standby 1 ip 10.1.11.12
standby 1 priority 110
standby 1 preempt
!
interface Serial1/0
ip address 203.1.1.2 255.255.255.0
ip access-group WAN_ACL in
ip nat outside
!
interface Serial1/1
no ip address
clock rate 2000000
shutdown
!
interface Serial1/2
no ip address
clock rate 2000000
shutdown
!
interface Serial1/3
no ip address
clock rate 2000000
shutdown
!
interface Serial1/4
no ip address
clock rate 2000000
shutdown
!
interface Serial1/5
no ip address
clock rate 2000000
shutdown
!
interface Serial1/6
no ip address
clock rate 2000000
shutdown
!
interface Serial1/7
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface Serial1/0 overload
ip nat inside source static tcp 10.1.11.20 25 203.1.1.2 25
ip nat inside source static tcp 10.1.11.20 143 203.1.1.2 143
ip nat inside source static tcp 10.1.11.20 993 203.1.1.2 993
ip classless
ip route 0.0.0.0 0.0.0.0 203.1.1.1
ip route 10.1.20.0 255.255.255.0 10.1.11.1
!
ip flow-export version 9
!
!
ip access-list extended WAN_ACL
permit tcp any host 203.1.1.2 eq smtp
permit tcp any host 203.1.1.2 eq 993
permit tcp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq 143
permit udp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq domain
permit udp any host 203.1.1.2 eq domain
permit icmp any any echo-reply
permit icmp any any unreachable
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip any any
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Ok fine, the return traffic is denied by the ACL (an ACL is not stateful, so return traffic must be defined).

Add (above the deny ip any any rule)

ip access-list extended WAN_ACL
permit tcp any eq 80 host 203.1.1.2

A stateful firewall in this instance would be better (in the real world), this allows return traffic without having to explicitly permit the return traffic.

how can I add above the deny ip any any rule

If you run the command "show ip access-list WAN_ACL"

 

BRANCH-1-RTR(config)#do sh ip access-list WAN_ACL
Extended IP access list WAN_ACL
    10 permit tcp any host 2.2.2.1 eq www (6 matches)
    20 deny ip any any log (299 matches)

Have a look at the sequence numbers, you would then add a sequence number lower than 20, E.g:

 

BRANCH-1-RTR(config)#15 permit icmp any host 2.2.2.1

 

BRANCH-1-RTR#show ip access-lists WAN_ACL
Extended IP access list WAN_ACL
    10 permit tcp any host 2.2.2.1 eq www (6 matches)
    15 permit icmp any host 2.2.2.1 (4 matches)
    20 deny ip any any log-input (327 matches)

 

It is not showing Sequence number

Router(config)#do sh ip access-list WAN_ACL
Extended IP access list WAN_ACL
permit tcp any host 203.1.1.2 eq smtp
permit tcp any host 203.1.1.2 eq 993
permit tcp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq 143
permit udp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq domain
permit udp any host 203.1.1.2 eq domain
permit icmp any any echo-reply
permit icmp any any unreachable
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip any any

Then all you can do is remove the ACL and re-enter the ACL, with the modification before the deny rule.

Hello RJI I know this topic is different from this one but I shall be grateful if you kindly give me an idea

 

Attach is the image file showing server having two different NIC connected to two different Layer 2 switch. Now my query

 

1) How in packet tracer we can use NIC teaming in server

2) if suppose one link goes down how it can transfer it to other link as shown in the image fileserverinmultipleswitch.jpg

Review Cisco Networking for a $25 gift card