05-28-2003 07:52 AM - edited 02-20-2020 09:21 PM
Ok, here's what I set my acces-list at:
deny ip host 207.134.171.15 host xx.xx.xx.xx
deny udp any eq ntp any
deny tcp any eq 1755 any
permit icmp any any echo-reply
permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute
permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big
permit tcp any host xx.xxx.xxx.xx eq smtp
I then applied it to my companies internet connection with:
ip access-group 103 in
I then did a sh access-list and received the following:
Extended IP access list 103
permit tcp host 209.247.88.182 eq www host xx.xxx.xxx.xx eq 1033 (4 matches)
permit tcp host 62.161.94.166 eq www host xx.xxx.xxx.xx eq 1125 (3 matches)
permit tcp host 65.197.236.62 eq www host xx.xxx.xxx.xx eq 1328 (7 matches)
permit tcp host 165.254.12.102 eq www host xx.xxx.xxx.xx eq 1139 (6 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2076 (7 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2069 (7 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2068 (7 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1955 (7 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1184 (7 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1143 (43 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2058 (10 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2052 (10 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1623 (10 matches)
permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1228 (10 matches)
permit tcp host 193.201.103.91 eq www host xx.xxx.xxx.xx eq 1122 (6 matches)
permit tcp host 38.117.132.102 eq www host xx.xxx.xxx.xx eq 2077 (1 match)
deny ip host 207.134.171.15 host xx.xxx.xxx.xx
deny udp any eq ntp any
deny tcp any eq 1755 any (14 matches)
permit icmp any any echo-reply
permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute
permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big
permit tcp any host xx.xxx.xxx.xx eq smtp
Can anyone tell me why all of those extra entries input themselves at the beginning of my access-list? Also, I tried clearing out the extra entries by removing the access-list and then recreating it, but it keeps all the entries and those entries override any additional changes I make to the access-list, as they are at the top. I had to change the access-list number in order for a couple of the rules to take effect. Thanks in advance.
Joe
05-28-2003 08:16 AM
What shows up if you do a 'show run'? Is there a management station that could be throwing in these on the fly / rule-based?
Thanks,
yatin
05-28-2003 09:39 AM
Lemme preface this by saying that I inherited this router from the previous Admin at my company. Here is the int for the fastethernet0/0.10:
interface FastEthernet0/0.10
description DSL to Internet
encapsulation isl 10
ip address 63.224.231.65 255.255.255.248
ip access-group 103 in
no ip redirects
ip nat outside
ip inspect OUT out
ip audit TEST in
I suspect that the ip inspect out out or the ip audit test in are to blame. I will remove each one and see....
05-28-2003 10:10 AM
Hi,
Any extra lines above the lines you have created in your ACL is created by the CBAC (ip inspect OUT out line under the interface). Most likely this is how it is intended to setup. Once you apply cbac on router that is "ip inspect OUT out" on the interface, it will create the dynmic holes by appending the acl lines on top of your existing extended ACL. This is exactly what is happening in your case. If you remove line "ip inspect OUT out", you may experince communication from inside to outside, as return traffic would be blokced from outside. So, either you have to leave the CBAC on or you need to allow the retuurn traffic from outside to inside. Please, let me know if this clear. Thanks,
Mynul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide