- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2016 03:04 PM - edited 03-07-2019 12:12 AM
I'm have a trouble understanding access-list. I know extended you want to put closest to the source, and standard closest to the destination. However, I am confused on what is stopping my traffic from reaching the internet. For my access-list, I have to have "permit ip any any" to be able to reach anything. When I tried to narrow it down to just a specific subnet, I lose all internet connectivity.
Here's an example of an access-list I was trying to implement. (And maybe I shouldn't be placing it here?)
ip nat inside source list 100 interface GigabitEthernet0/0 overload Access-list 100 Remark **Deny Telnet** |
Should my NAT access-list be different from another access-list? Because I want to block any traffic outside of G0/0 that tries to use those ports anyways. Any insight on a fix and/or knowledge about what I am doing wrong with access-list is greatly appreciated. Thank you.
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2016 05:56 PM
Okay, first you need to ensure nat is configured correctly for Internet access and you have secured your router from external access. The following is a sample config for nat and cbac firewall. Once the nat and firewall config is working, then open ports into your network.Let me know if you have questions on this config
access-list 10 permit 192.168.0.0 0.0.255.255
ip nat inside source list 10 interface gigabitEthernet 0/0 overload
ip access-list extended 101
deny ip any any
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp
interface GigabitEthernet0/0
ip access-group 101 in
ip inspect fw out
Thanks
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2016 04:15 PM
Hi,
Your nat access list should only be use to control nat. Use another access list to control traffic. Your access list 100 should be used to control traffic on your network. I am guessing you are apply access list 100 on the inside interface of your router. Create another access list nat and use that in the nat statement.Your nat access list should only contain the traffic to be translated. The nat access list should not contain log statements.
e,g nat access list
access-list 10 permit 192.168.0.0 0.0.255.255
thanks
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2016 04:19 PM
John,
Thanks for insight on that. I was wondering if applying it to the ip nat statement was causing an issue, and it seems to be so. So, if I just change it my access-list I have above to 101 and put on interface G0/0, facing the internet, would it need to be inbound then? Here's where I have an issue at when placing on an interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2016 04:38 PM
Hi,
You access list above is not good for the Internet. It would not work if applied on the Internet facing interface in the in direction because the source ip addresses would be wrong.The access list you apply to the Internet facing interface should only allow services you need into you network and block all other traffic.
What traffic do you need to allow into your network? First create access list 101 with deny any and apply to the Internet facing interface and then open services as required.
e.g
ip access-list extended 101
deny ip any any
interface gi0/0
description INTERNET
ip access-group 101 in
thanks
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2016 04:45 PM
At the current moment, I only need SSH, TFTP, HTTP/HTTPS, SMTP, and a couple of ports in the 6000. I am fine with leaving the permit ip 192.168.0.0. 0.0.255.255 any out, if I can get only the ports I need to pass through network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2016 05:56 PM
Okay, first you need to ensure nat is configured correctly for Internet access and you have secured your router from external access. The following is a sample config for nat and cbac firewall. Once the nat and firewall config is working, then open ports into your network.Let me know if you have questions on this config
access-list 10 permit 192.168.0.0 0.0.255.255
ip nat inside source list 10 interface gigabitEthernet 0/0 overload
ip access-list extended 101
deny ip any any
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp
interface GigabitEthernet0/0
ip access-group 101 in
ip inspect fw out
Thanks
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2016 07:39 AM
John,
I have a question about the ip inspect name. What exactly is it doing? Never worked with an access-list with them before.
Both the inspect and access-list works, I'd just like to try to understand the inspect portion. Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2016 04:27 PM
Hi,
The ip inspect implements cisco's context-based access control firewall(CBAC). Basically CBAC inspects traffic out of your interface Gi0/0 and records these sessions in a session table. When return traffic comes back from the Internet, CBAC checks the session table and if there is a matching outbound session for this return traffic, CBAC allows the traffic in. If there is not match, the traffic is not allowed in. Think of CBAC as a firewall for your router. You can read more on CBAC on the following links:
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_cfg_content_ac.html
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html
Thanks
John
