Re: Access List problem on 1841 IS

akalhan · ‎05-03-2005

Current configuration : 3904 bytes

!

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime !

hostname router1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

enable secret 5 x

!

username admin privilege 15 secret 5 x

no aaa new-model

ip subnet-zero

no ip source-route

ip cef

!

ip tcp synwait-time 10

!

no ip bootp server

no ftp-server write-enable

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

ip address 216.240.x.a 255.255.255.0

ip access-group 101 in

ip access-group 100 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface Serial0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

no cdp enable

!

ip default-gateway 216.240.x.x

ip classless

ip route 0.0.0.0 0.0.0.0 216.240.x.x

ip http server

ip http authentication local

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static 192.168.1.10 216.240.x.b

ip nat inside source static 192.168.1.11 216.240.x.c

!

logging trap debugging

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit gre any host 216.240.x.a

access-list 101 permit tcp any host 216.240.x.a eq telnet

access-list 101 permit tcp any host 216.240.x.a eq www

access-list 101 permit tcp any host 216.240.x.b eq 1723

access-list 101 permit tcp any host 216.240.x.b eq 443

access-list 101 permit tcp any host 216.240.x.b eq 47

access-list 101 permit tcp any host 216.240.x.b eq domain

access-list 101 permit tcp any host 216.240.x.b eq ftp

access-list 101 permit tcp any host 216.240.x.b eq ftp-data

access-list 101 permit tcp any host 216.240.x.b eq www

access-list 101 permit udp any host 216.240.x.b eq 1723

access-list 101 permit udp any host 216.240.x.b eq 47

access-list 101 permit udp any host 216.240.x.b eq domain

access-list 101 permit udp any host 216.240.x.c eq domain

access-list 101 permit tcp any host 216.240.x.c eq 443

access-list 101 permit tcp any host 216.240.x.c eq domain

access-list 101 permit tcp any host 216.240.x.c eq ftp

access-list 101 permit tcp any host 216.240.x.c eq ftp-data

access-list 101 permit tcp any host 216.240.x.c eq www

access-list 101 deny ip any any

no cdp run

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

!

scheduler allocate 4000 1000

end

--------------------- PROBLEM ----------------------

I want users to be able to go out on every port and only selective ports open for incoming.

I thght the deny any ip ip is implicit.However if I dont give access-list 101 deny ip any any it lets everyone in.

the moment i state the deny it denies all outgoing traffic as well.

So i added the 101 deny and 102 incoming and it didnot work. what am i doing wrong.

Any help is really appreciated.

Thanks,

brianj · ‎05-03-2005

Access-lists can be applied in each direction. The direction is from the routers perspective. Therefore "IN" means coming into the router interface and "OUT" means leaving the router interface. When you apply an acl to an interface it is applied in the direction you specify. If you only want to control traffic coming into the router you should only need specify an inbound acl.

The use of access-list 100 is unnecessary. The deny statement at the end of access-list 101 is going to deny any traffic which was not implicitly allowed by previous permit statements. Therefore, it seems to be doing its job.

HTH,

Brian

akalhan · ‎05-03-2005

Brian,

So if I want to send traffic to internet

access-list 101 192.168.1.0 0.0.0.255 any

that should work right

I am new to this and am trying to learn the ropes.

Thanks,

AK

paddyxdoyle · ‎05-03-2005

You have your access-lists the right way round.

The problem is extended access lists aren't stateful, i.e. they explicitly permit or deny traffic based on the rules you create.

So when traffic leaves your network to its destination, it's permitted out to the internet via access-list 100. When it comes back into your network, the traffic is checked by access list 101.

So if its not specifically permitted by this access list it will be dropped by the last rule "deny ip any any".

So for TCP sessions you need to add "permit ip any any established" to your inbound access list (101) which will allow existing connections back into your network.

If you need more than this i.e. UDP then you need to check the link i sent in previos post.

HTH

Paddy

paddyxdoyle · ‎05-03-2005

You can add "permit tcp any any established" before your "deny ip any any" rule which will allow established TCP connections back into your internal network. It works by looking for ACK or RST bits in a session, these bits aren't the first bits in a TCP handshake and are therefore part of an established session.

If you need to do similar for UDP traffic then you should look at configuring reflexive access lists.

Please see the following link for details

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html

Rgds

Paddy

akalhan · ‎05-03-2005

thanks to all. I will test this out today and post if that worked. I am sure it will