Re: Locking down access via Application ports (access-lists)

dhardy · ‎08-09-2002

We would like to lock down a WAN connection using access-lists. This is as well as others security products, the main reason for this is to limit what goes across the links.

I have created an access-list that permits the main application ports that we use, eg ftp, telnet, terminal server (3389), web proxy (8080) etc. The problem is when I apply these, no packets get through, so permitting Ip any any all allowed it to work - but this allowed me to do things that I don't want to be able to do.

We use EIGRP on the frame links so I tried permitting eigrp any any but still no packets could get to their destination.

Any ideas on what I could other than allow static route access?

Duncan

bourse · ‎08-09-2002

You'll have to allow the IP address of the router to talk to the multicast address used for EIGRP 224.0.0.10.

dhardy · ‎08-09-2002

Thanks, Will give it a try.

Duncan

dhardy · ‎08-09-2002

I have just done this, but its not working: can you confirm the syntax for this:

The two routers addresses are 10.100.0.1 and 10.101.0.1 mask 255.255.0.0

Duncan

bourse · ‎08-09-2002

Not quite sure where you apply your ACLs or how your routers are connected since the IP's are on different subnets. However let's assume that you are using IP unnumbered and that you want to control the traffic from 10.100.0.1 towards 10.101.0.1 then you would put somethinglike this in your ACL:

permit ip host 10.100.0.1 host 224.0.0.10

The ACL would be applied out on the WAN interface.

dhardy · ‎08-09-2002

Sorry not to give you the right info:

Our Serial lines are numbered so eg:

Router A 10.100.0.1 eth

10.10.20.66 s0

Router B 10.101.0.1 eth

10.10.20.65 s0

I have tried with both the serial ip and eth still no joy

These are the other ports I would like open as well.

access-list 102 permit tcp any any eq telnet

access-list 102 permit tcp any any eq 8080

access-list 102 permit tcp any any eq 3389

access-list 102 permit tcp any any eq 5800

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq 123

access-list 102 permit tcp any any eq 102

access-list 102 permit tcp any any eq 42

access-list 102 permit tcp any any eq domain

access-list 102 permit tcp any any eq 161

access-list 102 permit udp any any eq snmp

access-list 102 permit eigrp any any log

access-list 102 permit tcp any any eq 7100

bourse · ‎08-09-2002

Add "access-list 102 deny ip any any log-input" at the end of your access-list. Also, make sure that logging is enabled "logging buffer". Then you can do "show log" to see what is being denied.

dhardy · ‎08-12-2002

I have just done that and got the following:

3w6d: %SYS-5-CONFIG_I: Configured from console by vty0 (193.xxx.xxx.130)

3w6d: %SEC-6-IPACCESSLOGRP: list 102 permitted eigrp 10.10.20.65 -> 224.0.0.10, 59 packets

3w6d: %SYS-5-CONFIG_I: Configured from console by vty0 (193.xxx.xxx.130)

3w6d: %SEC-6-IPACCESSLOGRP: list 101 permitted eigrp 10.10.20.69 -> 224.0.0.10, 65 packets

3w6d: %SEC-6-IPACCESSLOGRP: list 102 permitted eigrp 10.10.20.65 -> 224.0.0.10, 10 packets

3w6d: %SYS-5-CONFIG_I: Configured from console by vty0 (193.xxx.xxx.130)

3w6d: %SEC-6-IPACCESSLOGRP: list 101 permitted eigrp 10.10.20.9 -> 224.0.0.10, 64 packets

3w6d: %SEC-6-IPACCESSLOGRP: list 102 permitted eigrp 10.10.20.65 -> 224.0.0.10, 1 packet

3w6d: %SEC-6-IPACCESSLOGRP: list 102 permitted eigrp 10.10.20.65 -> 224.0.0.10, 12 packets

3w6d: %SEC-6-IPACCESSLOGRP: list 102 permitted eigrp 10.10.20.65 -> 224.0.0.10, 2 packets

3w6d: %SEC-6-IPACCESSLOGRP: list 102 permitted eigrp 10.10.20.65 -> 224.0.0.10, 4 packets

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied udp 10.101.0.23(137) (Serial0.2 DLCI 17) -> 10.100.0.92(137), 1 packet

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied udp 10.101.0.45(137) (Serial0.2 DLCI 17) -> 10.100.0.92(137), 1 packet

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied udp 10.101.0.19(137) (Serial0.2 DLCI 17) -> 158.43.240.4(53), 1 packet

3w6d: %SYS-5-CONFIG_I: Configured from console by vty0 (193.xxx.xxx.130)

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.101.0.1(23) (Serial0.2 DLCI 17) -> 193.xxx.xxx.130(8728), 1 packet

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied udp 10.100.0.93(3849) (Ethernet0 0002.a574.8403) -> 10.101.0.23(1036), 1 packet

3w6d: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 193.xxx.xxx.130 (Serial0.1 DLCI 16) -> 10.101.0.1 (8/0), 1 packet

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.100.0.88(8080) (Serial0.1 DLCI 16) -> 10.101.0.45(1042), 1 packet

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.101.0.45(1029) (Serial0.2 DLCI 17) -> 10.100.0.93(1050), 1 packet

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied udp 10.100.0.93(3877) (Ethernet0 0002.a574.8403) -> 10.101.0.23(1036), 1 packet

3w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.101.0.1(23) (Serial0.2 DLCI 17) -> 193.xxx.xxx.130(9022), 1 packet

3w6d: %SEC-6-IPACCESSLOGRP: list 101 permitted eigrp 10.10.20.69 -> 224.0.0.10, 65 packets

I can see that I need to allow udp stuff now, but why doesn't it allow me to telnet to it? (2nd line up)

dhardy · ‎08-12-2002

I have just seen what the problem is - I have got the same access rules going In and Out ( ip access-group 102 out and in)

Dunc