Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6590
Views
0
Helpful
7
Replies

Access-list blocking internet connection?

Go to solution
Shawnw4401
Level 1
Level 1

‎07-13-2016 03:04 PM - edited ‎03-07-2019 12:12 AM

I'm have a trouble understanding access-list. I know extended you want to put closest to the source, and standard closest to the destination. However, I am confused on what is stopping my traffic from reaching the internet. For my access-list, I have to have "permit ip any any" to be able to reach anything. When I tried to narrow it down to just a specific subnet, I lose all internet connectivity. 

Here's an example of an access-list I was trying to implement. (And maybe I shouldn't be placing it here?)

ip nat inside source list 100 interface GigabitEthernet0/0 overload

Access-list 100 Remark **Deny Telnet**
Access-list 100 deny tcp any any eq telnet log
Access-list 100 Remark **Allow SSH**
Access-list 100 permit tcp 192.168.52.0 0.0.0.7 any eq 22 log
Access-list 100 permit tcp host 192.168.0.1 any eq 22 log
Access-list 100 permit tcp host 192.168.0.5 any eq 22 log
Access-list 100 permit tcp host 192.168.0.6 any eq 22 log
Access-list 100 deny tcp any any eq 22 log
Access-list 100 Remark **Allow TFTP/FTP for LAN and denies rest**
Access-list 100 permit tcp 192.168.0.0 0.0.0.3 any range 20 21 log
Access-list 100 permit tcp 192.168.0.4 0.0.0.3 any range 20 21 log
Access-list 100 permit tcp 192.168.52.0 0.0.0.7 any range 20 21 log
Access-list 100 deny tcp any any range 20 21 log
Access-list 100 Remark **Deny all ICMP traffic**
Access-list 100 permit icmp host 192.168.0.1 any log
Access-list 100 permit icmp host 192.168.0.2 any log
Access-list 100 permit icmp host 192.168.0.6 any log
Access-list 100 permit icmp 192.168.52.0 0.0.0.7 any log
Access-list 100 deny icmp any any log
Access-list 100 Remark **Opens all ports for LAN connection and denies rest**
Access-list 100 permit ip 192.168.52.0 0.0.0.7 any log
Access-list 100 permit ip 192.168.94.32 0.0.0.18 any log
Access-list 100 permit ip 192.168.0.0 0.0.0.3 any log
Access-list 100 permit ip 192.168.0.4 0.0.0.3 any log
Access-list 100 deny ip any any log

Should my NAT access-list be different from another access-list? Because I want to block any traffic outside of G0/0 that tries to use those ports anyways. Any insight on a fix and/or knowledge about what I am doing wrong with access-list is greatly appreciated. Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8
In response to Shawnw4401

‎07-13-2016 05:56 PM

Okay, first you need to ensure nat is configured correctly for Internet access and you have secured your router from external access. The following is a sample config for nat  and cbac firewall. Once the nat and firewall config is working, then open ports into your network.Let  me know if you have questions on this config

access-list 10 permit 192.168.0.0 0.0.255.255

ip nat inside source list 10 interface gigabitEthernet 0/0 overload

ip access-list extended 101
deny ip any any

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp

interface GigabitEthernet0/0
ip access-group 101 in
ip inspect fw out

Thanks

John

**Please rate posts you find helpful**

View solution in original post

0 Helpful
7 Replies 7

Go to solution
johnd2310
Level 8
Level 8

‎07-13-2016 04:15 PM

Hi,

Your nat access list should only be use to control nat. Use another access list to control traffic. Your access list 100 should be used to control traffic on your network. I am guessing you are apply access list 100 on the inside interface of your router. Create another access list nat and use that in the nat statement.Your nat access list should only contain the traffic to be translated. The nat access list should not contain log statements.

e,g nat access list

access-list 10 permit 192.168.0.0 0.0.255.255

thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Shawnw4401
Level 1
Level 1
In response to johnd2310

‎07-13-2016 04:19 PM

John, 

 

Thanks for insight on that. I was wondering if applying it to the ip nat statement was causing an issue, and it seems to be so. So, if I just change it my access-list I have above to 101 and put on interface G0/0, facing the internet, would it need to be inbound then? Here's where I have an issue at when placing on an interface. 

0 Helpful

Go to solution
johnd2310
Level 8
Level 8
In response to Shawnw4401

‎07-13-2016 04:38 PM

Hi,

You access list above is not good for the Internet. It would not work if applied on the Internet facing interface in the in direction because the source ip addresses would be wrong.The access list you apply to the Internet facing interface should only allow services you need into you network and block all other traffic.

What traffic do you need to allow into your network? First create access list 101 with deny any and apply to the Internet facing interface and then open services as required.

e.g 

ip access-list extended 101

 deny ip any any


interface gi0/0
description INTERNET
ip access-group 101 in

 thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Shawnw4401
Level 1
Level 1
In response to johnd2310

‎07-13-2016 04:45 PM

At the current moment, I only need SSH, TFTP, HTTP/HTTPS, SMTP, and a couple of ports in the 6000. I am fine with leaving the permit ip 192.168.0.0. 0.0.255.255 any out, if I can get only the ports I need to pass through network. 

0 Helpful

Go to solution
johnd2310
Level 8
Level 8
In response to Shawnw4401

‎07-13-2016 05:56 PM

Okay, first you need to ensure nat is configured correctly for Internet access and you have secured your router from external access. The following is a sample config for nat  and cbac firewall. Once the nat and firewall config is working, then open ports into your network.Let  me know if you have questions on this config

access-list 10 permit 192.168.0.0 0.0.255.255

ip nat inside source list 10 interface gigabitEthernet 0/0 overload

ip access-list extended 101
deny ip any any

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp

interface GigabitEthernet0/0
ip access-group 101 in
ip inspect fw out

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Shawnw4401
Level 1
Level 1
In response to johnd2310

‎07-14-2016 07:39 AM

John, 

I have a question about the ip inspect name. What exactly is it doing? Never worked with an access-list with them before.

Both the inspect and access-list works, I'd just like to try to understand the inspect portion. Thank you.

0 Helpful

Go to solution
johnd2310
Level 8
Level 8
In response to Shawnw4401

‎07-14-2016 04:27 PM

Hi,

The ip inspect implements cisco's context-based access control firewall(CBAC). Basically CBAC inspects traffic out of your interface Gi0/0 and records these sessions in a session table. When return traffic comes back from the Internet, CBAC checks the session table and if there is a matching outbound session for this return traffic, CBAC allows the traffic in. If there is not match, the traffic is not allowed in. Think of CBAC as a firewall for your router. You can read more on CBAC on the following links:

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_cfg_content_ac.html

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html

Thanks

John

**Please rate posts you find helpful**
0 Helpful
Top