Re: Access list Problems

smartin · ‎09-22-2004

I have a hub & spoke frame-relay network. All remote offices connect to a frame router here at the corp. office.

From the remote office I'm trying to place extended access list to manage outgoing traffic. Instead of denying certain traffic I want to allow certain traffic. When I apply the access list to interface FastEthernet0 (only ethernet port) the remote office can telnet, smtp, www.

But when I try & telnet, www to systems at the remote office I can't. The remote office seems to be denying all traffic to the inside of the remote office. Listed below is the config. from the remote office. Thanks....

interface FastEthernet0

ip address 172.52.1.1 255.255.252.0

ip access-group 102 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

ip accounting output-packets

speed auto

priority-group 2

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

access-list 102 permit icmp any any echo-repl

access-list 102 permit icmp any any echo

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq telnet

access-list 102 permit udp any any eq 23

access-list 102 permit tcp any any eq smtp

access-list 102 permit tcp any any eq pop3

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq 5631

access-list 102 permit udp any any eq 5632

access-list 102 permit tcp any any eq 443

access-list 102 permit udp any any eq 443

access-list 102 permit tcp any any eq 546

access-list 102 permit udp any any eq 546

access-list 102 permit tcp any any eq 547

access-list 102 permit udp any any eq 547

access-list 102 permit tcp any any eq 1025

access-list 102 permit tcp any any eq 8001

access-list 102 permit tcp any any eq 8484

access-list 102 permit tcp any any eq 8385

access-list 102 permit tcp any any eq 8383

access-list 102 permit tcp any any eq 9100

access-list 102 permit udp any any eq 9100

access-list 102 permit eigrp any any

rais · ‎09-22-2004

You seem to be taking care of one direction traffic only.

Is the above list applied at the corp side or the remote?

Thanks.

smartin · ‎09-22-2004

No, on the serial side of the router I don't have any access-list applied. Hope that answers your question.

tomanderin · ‎09-22-2004

this is going to be because the packets coming back from the LAN do not match any of the ports you have defined in the ACL i.e. there will be a random port

even though there is a deny on the end of the acl add a

deny ip any any log

you will see the packets coming back and why they are denied

tomanderin · ‎09-22-2004

try moving them about, instead of

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

try

access-list 102 permit tcp any eq domain any

access-list 102 permit udp any eq domain any

rais · ‎09-22-2004

You need to use 'established' keyword in your ACL to get the results you want.

Thanks.

smartin · ‎09-22-2004

When I changed my access list from

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

to

access-list 102 permit tcp any eq domain any

access-list 102 permit udp any eq domain any

I was now able to get to systems on the inside of the remote office but all traffic is now denied from the remote office to the corp. network.

Rais, can you give an example?

Thanks.

Richard Burts · ‎09-22-2004

In an extended access list you can specify source ports and destination ports. In the example your posted you are specifying destination ports only.

If you are at a remote site and attempt telnet to a machine in this subnet the request comes in with destination port of TCP/23 (telnet) and when the response from the machine comes to the interface on the router then TCP/23 (telnet) is the source port. So in the access list when you have:

access-list 102 permit tcp any any eq telnet

it will allow stations in the remote subnet to initiate telnet. To allow them to respond to telnet you should also have:

access-list 102 permite tcp any eq telnet any

Apply this logic to the various protocols that you want to work (www, ftp, etc) to specify one line with the protocol as destination and another line to specify the protocol as source. This should make things work for you.

HTH

Rick

HTH

Rick

smartin · ‎09-22-2004

So, if I'm reading you correctly my access list should look like this.

access-list 102 permit tcp any eq 53 any

access-list 102 permit udp any eq 53 any

access-list 102 permit icmp any any

access-list 102 permit tcp any eq www any

access-list 102 permit tcp any eq telnet any

access-list 102 permit udp any eq 23 any

access-list 102 permit tcp any eq smtp any

access-list 102 permit tcp any eq pop3 any

access-list 102 permit tcp any eq ftp any

access-list 102 permit tcp any eq 21 any

access-list 102 permit tcp any eq 5631 any

access-list 102 permit udp any eq 5632 any

access-list 102 permit tcp any eq 443 any

access-list 102 permit udp any eq 443 any

access-list 102 permit tcp any eq 546 any

access-list 102 permit udp any eq 546 any

access-list 102 permit tcp any eq 547 any

access-list 102 permit udp any eq 547 any

access-list 102 permit tcp any eq 1025 any

access-list 102 permit tcp any eq 8001 any

access-list 102 permit tcp any eq 8484 any

access-list 102 permit tcp any eq 8385 any

access-list 102 permit tcp any eq 8383 any

access-list 102 permit tcp any eq 9100 any

access-list 102 permit udp any eq 9100 any

access-list 102 permit eigrp any any

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

access-list 102 permit icmp any any

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq telnet

access-list 102 permit udp any any eq 23

access-list 102 permit tcp any any eq smtp

access-list 102 permit tcp any any eq pop3

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq 5631

access-list 102 permit udp any any eq 5632

access-list 102 permit tcp any any eq 443

access-list 102 permit udp any any eq 443

access-list 102 permit tcp any any eq 546

access-list 102 permit udp any any eq 546

access-list 102 permit tcp any any eq 547

access-list 102 permit udp any any eq 547

access-list 102 permit tcp any any eq 1025

access-list 102 permit tcp any any eq 8001

access-list 102 permit tcp any any eq 8484

access-list 102 permit tcp any any eq 8385

access-list 102 permit tcp any any eq 8383

access-list 102 permit eigrp any any

Richard Burts · ‎09-22-2004

Yes. With the exception that you do not need the duplicated permit icmp any any and permit eigrp any any. The version of the access list that you have here will permit those protocols to be sent and to be received.

I believe this will satisfy the requirements that you identified.

HTH

Rick

HTH

Rick

tomanderin · ‎09-22-2004

is the same ACL being applied to all sites ... remote and central

if so then it wont work

you will need to have on the remote site an inbound acl on the f0/0 int of

permit tcp any any eq telnet

on the central site you will need

permit tcp any eq telnet any

to allow for packets coming back which will not have a source port of 23

eg

if you are telnetting from host 1.1.1.1 to host 2.2.2.2

your packets will have a src 1.1.1.1 port xxxxx dest 2.2.2.2 port 23

when the packets sre coming back, it will be reversed

src 2.2.2.2 port 23 dest 1.1.1.1 port xxxxx

apologies if i've misunderstood the post

smartin · ‎09-22-2004

At the moment the corp. router has a "permit ip any any" statement.

smartin · ‎09-22-2004

Maybe I'm confusing the issue.

I'm trying to allow certain traffic (www, telnet, smtp, pop3) from the remote site to the corp. office & allow ALL traffic from the corp. site to the remote site.

Richard Burts · ‎09-22-2004

This does cast the problem in a somewhat different light and suggests that some other alternative solutions might be considered.

The part of the problem is to differentiate traffic coming from the remote LAN: if it is a response to something initiated from corp office it is to be permitted, but if it is initiated from the remote LAN it needs to be evaluated separately. For TCP traffic there is a solution for this (which someone mentioned early in this thread) in the tcp established capability. With this, any TCP packet from the remote LAN which is a response is recognized because it has the ACK or the RST bit set and can be permitted.

However there is not anything like established that works for UDP or other IP protocols. To find a solution that works for them I would suggest that you look into reflexive access lists. The key concept of reflexive access lists is that they dynamically watch traffic going through the router and will build entries in a dynamic access list to permit responses. Here is a link that will get you started in understanding reflexive access lists:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html

HTH

Rick