Help with an access list please

cro9uk · ‎07-01-2005

Hi guys, i have an access list applied inbound to an interface on a router at the edge of our LAN.Our LAN subnet is 10.10.x.x and the incoming subnet is 10.13.x.x both with a 16 bit mask. The ACL is applied inbound to the interface that the the 10.13.x.x subnet come in on. I want to only allow them to go to our internal webserver to run a corporate web app, resolve dns for this web server with our dns servers, and have full access to a server on the other side of our WAN for another 32 bit app they are running. Here is my ACL:(you will notice i have also configured a single ip full access in for us to use when we are on site)

access-list 101 permit ip 10.10.0.0 0.0.255.255 any

access-list 101 permit ip host 10.13.1.254 any

access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain

access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain

access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain

access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain

access-list 101 permit ip 10.13.0.0 0.0.255.255 host 192.168.9.1

access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.24 eq www

access-list 101 deny ip 10.13.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 101 deny ip 10.13.0.0 0.0.255.255 172.16.100.0 0.0.0.255

access-list 101 deny ip any any

From the 10.13.x.x network this works like a charm but here is the key: i want to be able to remote admin their machines but cant. Even though the ACL is applied inbound only i cant get to their subnet, even with the first permit statement i still cant get to their subnet. I am assuming its allowing me in but the problem is lying with the return traffic. Is their a way for me to deny them access as in the list but for me to remote their subnet?

Any help you could offer would be appreciated.

amit-singh · ‎07-02-2005

What is your IP from which you are trying to use the remote. Which application you are using for remote. is it the termial service or RDC ?

regards,

-amit singh

cro9uk · ‎07-02-2005

we just use VNC to remote support the users. I wanted to allow the 10.10.x.x subnet in as i am on dhcp lease. I have to be on this as we have multiple sites and i have a laptop which i take to these sites and dont to have to reconfig the ip add every time to establish connectivity. What if i allow the VNC port (5900 i think) back in to the whole subnet, will that work?

jawad1979 · ‎07-02-2005

Hi,

Your first entry is wrong, and it should be:

access-list 101 permit ip 10.13.0.0 0.0.255.255 any

Yes you can limit connectivity to the port in mind like:

access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255

Thanks,

Jawad

Richard Burts · ‎07-02-2005

I agree with you that the first line in the access list is incorrect. Coming in that interface the source address should never be 10.10.0.0. But if he follows your first suggestion then any IP packet from 10.13.anything to anything will be permitted and none of the other statements in the access list will have any effect.

And I have a serious issue with what he appears to suggest which is that he will take his laptop (with a 10.10.x.x address), connect it into a remote subnet, and expect it to work. Unless he has IP mobility configured, he may be able to send packets out, but responses to 10.10.x.x will be sent to the 10.10.0.0 subnet and will not get to his laptop. He needs to rething this logic.

I do agree with your second suggestion that:

access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255

should allow the remote administration to work (assuming that 5900 is the correct port and assuming that it uses tcp not udp).

HTH

Rick

HTH

Rick

cro9uk · ‎07-03-2005

Thanks guys, you misunderstand me when you say i take my laptop to other sites with the 10.10.x.x address. I don't, what i was saying was because i take my laptop to other sites i cannot have the 10.10.x.x statically configured, i have to use dhcp therefore i cant put a single ip address in the ACL. the reason i put the first entry in is because i couldnt get onto the subnet even though the ACL was only applied to the inbound interface, so i assumed the ACL was still being picked up going out.

Am i right in saying that if i put in the rule for the return traffic on port 5900 then i dont have to allow myself with an ACL outbound as there are no ACLs in place in that direction?

jawad1979 · ‎07-03-2005

Hi,

You can have a static ip address if you have some control on those sites; if you're running a routing protocol everywhere, then use "router mobile" then redistribute the mobile into the routing protocol in mind, for example, if you're running RIP in those sites, then it would be like:

router mobile

router rip

redistribute mobile

make sure to add an access-list in your exit point at every site like

int fa0/0 (remote site where you're laptop is)

ip mobile arp access-group 1

access-list 1 permit host 10.10.x.x

It should work

Thanks,

Jawad

cro9uk · ‎07-07-2005

You guys are gods! I am running eigrp at all my sites so am i right in saying the following config should work?

int fa0/0 (Wan interface of site)

ip mobile arp access-group 1

access list 1 permit host 10.10.1.254

router eigrp 10

redistribute mobile

or do i need this on the Lan interface?