Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1740
Views
0
Helpful
1
Replies

Access Control List problem

rbvdwurff
Level 1
Level 1

‎12-15-2011 02:18 AM - edited ‎03-09-2019 11:44 PM

Hello everybody,

I'm quite new to this community so forgive me if I intrude or if i'm doing something wrong. I'm a young network enthousiast and I'd love to explore a career in Network Security.

i'm currently doing a school project that includes router hardening, i'm using a PDF template by Krishni Naidu that says to block a certain ammount of ports in order to secure a Cisco router.

In my school project we are using the 2801 Cisco Router and 15.0(1) as IOS version. Our setup is as follows:

We have a domain with a couple of VLANS that reach the first router that operates with EIGRP and Router on a stick, after that it enters a VPN IPSEC tunnel to reach router 2. The connection from router 2 goes to a "smoothwall" with firewall rules and eventually reaches a small Linksys router that goes to the internet.

I know it's a rather "dumb" setup, but it's kind of what we have to use as our budget from school . Internet works fine and we also use DNS. However when I try to create an ACL that blocks certain ports on the link from Router 2 to the Smoothwall, all traffic seems to be blocked.

Here is my ACL configuration:

Ip access-list extended PORTBLOCK

deny tcp any any eq domain

deny udp any any eq tftp

deny tcp any any eq 87

deny tcp any any eq sunrpc

deny udp any any eq sunrpc

deny tcp any any eq exec login cmd lpd

deny tcp any any eq uucp

deny tcp any any eq 2000

deny udp any any eq 2000

deny tcp any any eq 2049

deny udp any any eq 2049

deny tcp any any range 6000 6255

deny udp any any range 6000 6255

deny tcp any any eq ftp

deny tcp any any eq telnet

deny tcp any any eq 37

deny udp any any eq time

deny tcp any any eq finger

deny tcp any any range pop2 pop3

deny tcp any any eq nntp

deny tcp any any eq 135

deny udp any any eq 135

deny udp any any range netbios-ns netbios-dgm

deny tcp any any eq 139

deny tcp any any eq 143

deny tcp any any eq bgp

deny tcp any any eq 445

deny udp any any eq 445

deny udp any any eq syslog

deny tcp any any eq 1080

deny tcp any any eq 2001

deny tcp any any eq 4001

deny tcp any any eq 4045

deny udp any any eq 4045

deny tcp any any eq 6001

deny tcp any any eq 8000

deny tcp any any eq 8080

deny tcp any any eq 8888

I have tried to remove the first line in the acl and the last 3, concerning that it's high end HTTP ports and the DNS zone transfer port. However, whenever I implement this ACL on the interface going to the smoothwall (that eventually leads to the internet) I find myself unable to go on the internet, or even use ICMP to contact the interfaces on the smoothwall or even the internet itself (eg www.google.nl).

I'd like to note, that internet works just fine without the ACL configured and everything in our setup works accordingly as well, even the VPN. So here I am wondering, what is this newbie doing wrong?...

If anyone could help me with this issue, I will be greatful. I am quite inexperienced when it comes to configuring something for real. Mostly just experience with Cisco Packet tracer.

Greetings,

Robert-Bas

PS: If any info is missing or that this issue is unclear, dont hesitate to ask for more.

Labels:
0 Helpful
1 Reply 1

becos
Level 1
Level 1

‎12-15-2011 02:41 AM

ACLs in Cisco have an implicit deny any any at the end, so your ACL denies specific ports and then at the end denies everything else. You should add a permit ip any any at the end to excplicitly permit all other traffic not denied by the previous statements.

0 Helpful
Customers Also Viewed These Support Documents