Solved: access-list on dialer interface question

bvdijk · ‎01-02-2013

Cisco 887VA, IOS 15.2(4)M2

ADSL 20/1 Mb/s

WAN: Fixed IP

LAN: 10.1.0.0 /16

Connection is up and running without any access-lists blocking/allowing traffic.

I'd like to modify the config, so it allows users only to http/https and domain, which works by attaching this access-list:

ip access-list extended inet
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443

to the Dialer0 interface:

ip access-group test inet

Now, I actually like to also allow everything for one specific internal host, f.e. 10.1.10.1

Adding permit ip host 10.1.10.1 any to the access-list is not going to work. How should this be done? Thanks in advance!

Here are the important parts of my config:

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/48

encapsulation aal5mux ppp dialer

dialer pool-member 1

interface Vlan1

ip address 10.1.0.1 255.255.0.0

ip nat inside

ip virtual-reassembly in

interface Dialer0

ip address negotiated

ip access-group test inet

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username <my username> password 0 <my password>

no cdp enable

ip nat inside source list 101 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip access-list extended inet

permit udp any any eq domain

permit tcp any any eq domain

permit tcp any any eq www

permit tcp any any eq 443

access-list 101 permit ip 10.1.0.0 0.0.255.255 any

dialer-list 1 protocol ip permit

Liam Kenneally · ‎01-02-2013

Hi,

I notice you are configuring this on a C887. Therefore I would recommend using CCP(Cisco Configuration Professional) the express edition is installed on your router or you can download the full edition if you have access from your CCO.

Anyway... I would use the CCP to configure ZBF(Zone Based Firewall) this will lock down your router and does an extreamly good job at it. You simply define your inside(LAN) outside(WAN) next, next, Finish!

Now a quick side note, if this "host 10.1.10.1" is going to be accessed from the outside interface I would place this in a DMZ. again the GUI will walk you through this just ensure that specific host is plugged into the port you assign to the DMZ. Additionally if you are running a specific application on the host e.g. its a FTP/HTTP server I would then use an access list on that specific port to only allow FTP/HTTP traffic.

The great advantage of doing the above is the router will inspect traffic leaving your routers outside interface and allow return traffic. However if outside traffic trys to initiate a connection with the router it will be dropped. If the outside initiates a connection with 10.1.10.1 it will be allowed assuming correct config/NAT etc. Finally you will have to allow the inside hosts access to the DMZ I believe this will be denied by default.

P.S. if this is a home router be careful with how thoroughly you set the ZBF to inspect the traffic as it will deny commen applications like Yahoo, MSN servers. to block Instant messengers. I personally have mine set to "medium" via the GUI and I have not had a issue yet.

HTH

Kind Regards,

Liam

View solution in original post

Liam Kenneally · ‎01-02-2013

Hi,

I notice you are configuring this on a C887. Therefore I would recommend using CCP(Cisco Configuration Professional) the express edition is installed on your router or you can download the full edition if you have access from your CCO.

Anyway... I would use the CCP to configure ZBF(Zone Based Firewall) this will lock down your router and does an extreamly good job at it. You simply define your inside(LAN) outside(WAN) next, next, Finish!

Now a quick side note, if this "host 10.1.10.1" is going to be accessed from the outside interface I would place this in a DMZ. again the GUI will walk you through this just ensure that specific host is plugged into the port you assign to the DMZ. Additionally if you are running a specific application on the host e.g. its a FTP/HTTP server I would then use an access list on that specific port to only allow FTP/HTTP traffic.

The great advantage of doing the above is the router will inspect traffic leaving your routers outside interface and allow return traffic. However if outside traffic trys to initiate a connection with the router it will be dropped. If the outside initiates a connection with 10.1.10.1 it will be allowed assuming correct config/NAT etc. Finally you will have to allow the inside hosts access to the DMZ I believe this will be denied by default.

P.S. if this is a home router be careful with how thoroughly you set the ZBF to inspect the traffic as it will deny commen applications like Yahoo, MSN servers. to block Instant messengers. I personally have mine set to "medium" via the GUI and I have not had a issue yet.

HTH

Kind Regards,

Liam

bvdijk · ‎01-03-2013

Thanks, I've used CCP before but was not too familiar with the product.

Anyway, I've installed it on Windows 8 (needed some tweaks, run as admin en press F12 to switch to compat. mode)

So, I did a write erase and a reload, some basic config so I could connect to the router with CCP.

From there I configured everyhting using wizards , my DSL connection, the NAT setup and the Firewal. A little bit more tweaking and everything is working as I wanted. So thanks for pointing me to the wizards

All the best,

Barry

Liam Kenneally · ‎01-03-2013

No Problem at all Glad all is running as you wanted.

A tip bit on CCP is that if you go into the settings somewere you can actually set an option to preview commands before you write them to the device. I find this an invaluable learning tool .

For example VPN configuration, choose all your settings then you can preview the CLI before you apply it. I copy this to notepad and then like to then go to the CLI and configure it step by step using context sensitive help.

HTH

Kind Regards,

Liam