Re: Access list confusion

crmljc1976 · ‎07-26-2008

Please can someone help. all traffic seems to be blocked when using this config. It seems that outbound traffic is blocked or that all inbound traffic is blocked. Im not really sure. Can someone tell me why?

Router#sh run

Building configuration...

Current configuration : 2627 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1xxxxxxxxxx!

no aaa new-model

!

dot11 syslog

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip name-server 194.x.x.68

ip name-server 194.x.x.69

!

archive

log config

hidekeys

!

interface ATM0

no ip address

atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode itu-dmt

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip access-group 101 in

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1380

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxxx

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.0.5.0 255.255.255.0 192.168.0.2

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source static tcp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static udp 192.168.0.5 2000 interface Dialer0 2000

ip nat inside source static tcp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static udp 192.168.0.5 2002 interface Dialer0 2002

ip nat inside source static tcp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static udp 192.168.0.5 2003 interface Dialer0 2003

ip nat inside source static tcp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static udp 192.168.0.5 2006 interface Dialer0 2006

ip nat inside source static tcp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static udp 192.168.0.5 3001 interface Dialer0 3001

ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389

ip nat inside source static tcp 192.168.0.5 5900 interface Dialer0 5900

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 101 permit tcp any any eq 5900

access-list 101 permit tcp any 192.168.0.0 0.0.0.255 established

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0

password xxxxxxx

login

line vty 1 4

login

!

scheduler max-task-time 5000

end

lgijssel · ‎07-26-2008

This looks like an internet connection.

The acl 101 will block aal udp, including dns traffic. This might be a problem.

Otherwise, try the config without acl 101 and verify that it works. You can secure up things from there.

regards,

Leo

crmljc1976 · ‎07-26-2008

yes works without the list. Will all inbound traffic from internet be denied apart from the nat inside source rules ive created? And will those rules still work?

gacross · ‎07-26-2008

Inbound there will be allowed only packets with destination port of 5900 and anything with the ack bit turn on in the TCP header. (outbound response packets.) You should add the ports and ip addresses your have staticly nat'd.

eg: access-list 101 permit tcp any any eq 3389

access-list 101 permit udp any any eq 3001

don't forget permit udp any eq domain any

etc

Without an acl on the outside the router itself could be subject to DoS or hacking. I would at least put an ACL on the vty to prevent outside from accessing the router.

crmljc1976 · ‎07-26-2008

ok, but when i add ip access-group in to the dialer0 interface all traffic is blocked, so what is the point?

mahmoodmkl · ‎07-26-2008

Hi

access-list 101 permit tcp any any eq 5900

access-list 101 permit tcp any 192.168.0.0 0.0.0.255 established

with the above access-list u r allowing any traffic with the source of any to port 5900

and with the second line u r allowing traffic with any source to 192.168.0.0

the rest of this traffic is denied as the access-list will have a implicit deny statement at the end,due to this u r not able to access anything except the entries permitted in the acl.

Thanks

Mahmood

crmljc1976 · ‎07-27-2008

and I don't need to use the access group command on on interface?

crmljc1976 · ‎07-27-2008

no that doesnt work neither, Does anyone know how to resolve this issue????

tdrais · ‎07-27-2008

You have 2 issues with the access list. First is that you have only done a single port even though you have defined multiple nat entries. If you want those nat entries to ever work you need to put in a corresponding access list.

You second issue is much harder. The access list is done before the nat so your destination address has not been translated to the 192.169.x.x addresses yet so this line in effect blocks everything.

You really don't need a access list when you run nat other than maybe to protect the router itself.

The main difference is that a access drops the traffic because you told it to. Nat will cause a drop because it does not know who to send the packet to if there is no translation in the table. Access list is better but you will get the same results.