Solved: Nope didn't work !!! once - Page 2

j_j624001 · ‎12-18-2015

Hello;
I need some help on securing certain ports in/out my network

So i tried and tried and tried different configurations difference scenriaos far as my access-list to allow only certain ports in and out.

What i would like to do on my outside interface is have only port 7,53, 80, 443, and 8080 allowed; where as my inside internal interface i would like to have port 7,21,22,23,25,53,67,80,110,123,143,443,1500,1501, and 8080; yes i know ports by the back of my head and these are the only port i want to be allowed inside my interface so all my computers/servers can talk/share/ping/ftp etc etc to each other.

Any ideas that could help ??

Masoud Pourshabanian · ‎12-18-2015

Share your configuration

j_j624001 · ‎12-18-2015

Building configuration...

Current configuration : 2607 bytes
!
! Last configuration change at 02:08:45 UTC Sat Dec 19 2015 by JJ
! NVRAM config last updated at 02:01:35 UTC Sat Dec 19 2015 by JJ
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
no aaa new-model
!
resource policy
!
clock calendar-valid
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.3 10.10.0.99
ip dhcp excluded-address 10.10.0.150 10.10.0.255
!
ip dhcp pool R_POOL
   import all
   network 10.10.0.0 255.255.255.0
   update dns
   default-router 10.10.0.1
   dns-server 192.168.0.1 8.8.8.8 8.8.4.4 4.2.2.4
   domain-name R.com
   update arp
!
!
ip domain name T-Net.com
ip ssh version 2
!

interface FastEthernet0
description OUT
ip address 192.168.0.X 255.255.255.0
ip access-group filter-inbond in
ip access-group filter-outbond out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1
description LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 10.10.0.0 0.0.255.255

Masoud Pourshabanian · ‎12-18-2015

That should work

Add these commands to your current configuration.

ip access-list extended filter-inbond
permit udp any eq domain any
permit icmp any any echo-reply
evaluate CHECK-TRAFFIC
deny ip any any

ip access-list extended filter-outbond
permit tcp any any eq www reflect CHECK-TRAFFIC
permit tcp any any eq 443 reflect CHECK-TRAFFIC
permit tcp any any eq 8080 reflect CHECK-TRAFFIC
permit udp any any eq domain
permit icmp any any echo
deny ip any any

Try ping and browse some sites.

That time copy the entire configuration and then post it. Then also post output of this command

show access-lists

j_j624001 · ‎12-18-2015

Ok; when i try to go to access the websites like google, yahoo, wellsfargo,ebay i still get "This page can’t be displayed"

i can ping

R1#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
R1#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/32 ms
R1#ping 8.8.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
R1#ping 4.2.2.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/31/40 ms

Show access-lists

Standard IP access list 50
    10 permit 10.10.0.0, wildcard bits 0.0.255.255 (14866 matches)
Reflexive IP access list CHECK-TRAFFIC
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52451 (89 matches) (time left 248)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52450 (17 matches) (time left 247)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52449 (97 matches) (time left 248)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52448 (91 matches) (time left 248)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52447 (151 matches) (time left 248)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52446 (103 matches) (time left 248)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52445 (79 matches) (time left 247)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52444 (127 matches) (time left 247)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52443 (133 matches) (time left 247)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52442 (127 matches) (time left 247)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52441 (67 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52440 (73 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52439 (109 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52438 (97 matches) (time left 247)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52437 (53 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52436 (109 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52435 (115 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52434 (115 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52433 (17 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52432 (65 matches) (time left 255)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52431 (17 matches) (time left 246)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52430 (47 matches) (time left 246)
     permit tcp host 216.58.219.142 eq www host 192.168.0.80 eq 52427 (55 matches) (time left 242)
     permit tcp host 72.21.91.8 eq www host 192.168.0.80 eq 52424 (149 matches) (time left 246)
     permit tcp host 216.58.219.104 eq www host 192.168.0.80 eq 52407 (277 matches) (time left 229)
Extended IP access list filter-inbond
    10 permit udp any any eq domain
    20 permit icmp any any echo-reply (105 matches)
    30 evaluate CHECK-TRAFFIC
    40 deny ip any any (1568 matches)
Extended IP access list filter-outbond
    10 permit tcp any any eq www reflect CHECK-TRAFFIC (7950 matches)
    20 permit tcp any any eq 443 reflect CHECK-TRAFFIC (211 matches)
    30 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
    40 permit udp any any eq domain (954 matches)
    50 permit icmp any any echo
    60 deny ip any any (60 matches)

Current Configuration

R1#s
Building configuration...

Current configuration : 3048 bytes
!
! Last configuration change at 02:31:00 UTC Sat Dec 19 2015 by JJ
! NVRAM config last updated at 02:25:23 UTC Sat Dec 19 2015 by JJ
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!

no aaa new-model
!
resource policy
!
clock calendar-valid
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.3 10.10.0.99
ip dhcp excluded-address 10.10.0.150 10.10.0.255
!
ip dhcp pool R_POOL
   import all
   network 10.10.0.0 255.255.255.0
   update dns
   default-router 10.10.0.1
   dns-server 192.168.0.1 8.8.8.8 8.8.4.4 4.2.2.4
   domain-name R.com
   update arp
!
!
ip domain name T-Net.com
ip ssh version 2

!

interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip access-group filter-inbond in
ip access-group filter-outbond out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1
description LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
ip access-list extended filter-inbond
permit udp any any eq domain
permit icmp any any echo-reply
evaluate CHECK-TRAFFIC
deny ip any any
ip access-list extended filter-outbond
permit tcp any any eq www reflect CHECK-TRAFFIC
permit tcp any any eq 443 reflect CHECK-TRAFFIC
permit tcp any any eq 8080 reflect CHECK-TRAFFIC
permit udp any any eq domain
permit icmp any any echo
deny ip any any
!
access-list 50 permit 10.10.0.0 0.0.255.255

Masoud Pourshabanian · ‎12-18-2015

If the result was the same, try this one. Remember to remove them all at first. I need to figure out the problem.

ip access-list extended filter-inbond
permit icmp any any echo-reply
evaluate CHECK-TRAFFIC
deny ip any any

ip access-list extended filter-outbond
permit icmp any any echo-reply
permit ip any any reflect CHECK-TRAFFIC

interface FastEthernet0
description OUT
ip access-group filter-inbond in
ip access-group filter-outbond out

Masoud Pourshabanian · ‎12-18-2015

Let me know to give you another configuration if none of those worked. I implemented your scenario myself on 2800 router. It is working here. I have the same configuration as you have.

Masoud Pourshabanian · ‎12-18-2015

Remove all and try this one instead. give me your feedback.

ip access-list extended filter-inbond
permit udp any eq domain any
permit icmp any any echo-reply
evaluate CHECK-TRAFFIC
deny ip any any

ip access-list extended filter-outbond
permit tcp any any eq www reflect CHECK-TRAFFIC
permit tcp any any eq 443 reflect CHECK-TRAFFIC
permit tcp any any eq 8080 reflect CHECK-TRAFFIC
permit udp any any eq domain
permit icmp any any echo
permit ip any any

interface FastEthernet0
description OUT
ip address 192.168.0.X 255.255.255.0
ip access-group filter-inbond in
ip access-group filter-outbond out

j_j624001 · ‎12-18-2015

Ok;

So here's what i done to be testing; once i had all your configurations i tried 4 differnet website still same error msg as stated earlier. Once i started deleting the inbond rules one by one and refreshing my website still same error msg; but once the inboud rules was empty and clear i was able to see all my 4 website as there were refresh.

Current configurations

Building configuration...

Current configuration : 2942 bytes
!
! Last configuration change at 03:22:24 UTC Sat Dec 19 2015 by JJ
! NVRAM config last updated at 03:22:25 UTC Sat Dec 19 2015 by JJ
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!

no aaa new-model
!
resource policy
!
clock calendar-valid
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.3 10.10.0.99
ip dhcp excluded-address 10.10.0.150 10.10.0.255
!
ip dhcp pool R_POOL
   import all
   network 10.10.0.0 255.255.255.0
   update dns
   default-router 10.10.0.1
   dns-server 192.168.0.1 8.8.8.8 8.8.4.4 4.2.2.4
   domain-name R.com
   update arp
!
!
ip domain name T-Net.com
ip ssh version 2

interface FastEthernet0
description OUT
ip address 192.168.0.80 255.255.255.0
ip access-group filter-inbond in
ip access-group filter-outbond out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1
description LAN
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex

ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
ip access-list extended filter-inbond
ip access-list extended filter-outbond
permit tcp any any eq www reflect CHECK-TRAFFIC
permit tcp any any eq 443 reflect CHECK-TRAFFIC
permit tcp any any eq 8080 reflect CHECK-TRAFFIC
permit udp any any eq domain
permit icmp any any echo
deny ip any any
!
access-list 50 permit 10.10.0.0 0.0.255.255

Extended IP access list filter-inbond
Extended IP access list filter-outbond
    10 permit tcp any any eq www reflect CHECK-TRAFFIC (15738 matches)
    20 permit tcp any any eq 443 reflect CHECK-TRAFFIC (8433 matches)
    30 permit tcp any any eq 8080 reflect CHECK-TRAFFIC
    40 permit udp any any eq domain (789 matches)
    50 permit icmp any any echo
    60 deny ip any any (4 matches)

Masoud Pourshabanian · ‎12-18-2015

Let me give you another configuration. Forget other configuration. Try this one. make sure you remove everything at first.

ip access-list extended filter-inbond
permit udp any eq domain any
permit icmp any any echo-reply
permit tcp any eq www any   established
permit tcp any eq 443 any   established
permit tcp any eq 8080 any established
deny ip any any

ip access-list extended filter-outbond
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit udp any any eq domain
permit icmp any any echo
deny   ip any any

interface FastEthernet0
description OUT
ip access-group filter-inbond in
ip access-group filter-outbond out

Give your feedback.

j_j624001 · ‎12-18-2015

Nope didn't work !!! once everything was removed and configurations was added; it didn't work ; pages still get unable to be displayed even when refresh or searching misc sites; once all inbond rules are removed and only works with the outbond rules are enable it works for searching misc sites; and i just tried for testing these two inbond rules (permit icmp any any echo-reply; permit tcp any eq 8080 any established on inbond rules; still getting page not displayed with searching misc.........maybe the outbound interface is catching pkts from the ISP; cause i know i don't have any port forwarding on the isp enable... idk

Masoud Pourshabanian · ‎12-18-2015

It is wired. Just try the below configuration one more time and list the output of this command. I have the same configuration here. It is working for me.

ip access-list extended filter-inbond
permit udp any eq domain any
permit icmp any any echo-reply
permit tcp any eq www any   established
permit tcp any eq 443 any   established
permit tcp any eq 8080 any established
deny ip any any

ip access-list extended filter-outbond
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit udp any any eq domain
permit icmp any any echo
deny   ip any any

interface FastEthernet0
description OUT
ip access-group filter-inbond in
ip access-group filter-outbond out

show access-list

j_j624001 · ‎12-18-2015

Yes it is weird; maybe it has something to do with the access list 50; idk; strange; still same error message

Standard IP access list 50
    10 permit 10.10.0.0, wildcard bits 0.0.255.255 (4583 matches)
Extended IP access list filter-inbond
    10 permit udp any any eq domain
    20 permit icmp any any echo-reply (4 matches)
    30 permit tcp any eq www any established (36 matches)
    40 permit tcp any eq 443 any established (102 matches)
    50 permit tcp any eq 8080 any established
    60 deny ip any any (1278 matches)
Extended IP access list filter-outbond
    10 permit tcp any any eq www (16866 matches)
    20 permit tcp any any eq 443 (15264 matches)
    30 permit tcp any any eq 8080
    40 permit udp any any eq domain (3742 matches)
    50 permit icmp any any echo (5 matches)
    60 deny ip any any (53 matches)

Masoud Pourshabanian · ‎12-18-2015

edited

j_j624001 · ‎12-18-2015

ok; well looks like it still didn't work; i check to make sure my computer firewall was disable which it was; i've search search search different sites still nothing with the inbond rules enable. see below access-list the first is when i just added configuration; second is when i was searching misc sites.

1.

Standard IP access list 50
    10 permit 10.10.0.0, wildcard bits 0.0.255.255 (6609 matches)
Extended IP access list filter-inbond
    10 permit udp any any eq domain
    20 permit icmp any any echo-reply (4 matches)
    110 permit tcp any eq www any established
    120 permit tcp any eq 443 any established (3 matches)
    130 permit tcp any eq 8080 any established
    140 deny ip any any (4 matches)
Extended IP access list filter-outbond
    10 permit tcp any any eq www (19786 matches)
    20 permit tcp any any eq 443 (22022 matches)
    30 permit tcp any any eq 8080
    40 permit udp any any eq domain (8869 matches)
    50 permit icmp any any echo (5 matches)
    60 deny ip any any (56 matches)

2.

Standard IP access list 50
    10 permit 10.10.0.0, wildcard bits 0.0.255.255 (7048 matches)
Extended IP access list filter-inbond
    10 permit udp any any eq domain
    20 permit icmp any any echo-reply (4 matches)
    110 permit tcp any eq www any established (10 matches)
    120 permit tcp any eq 443 any established (117 matches)
    130 permit tcp any eq 8080 any established
    140 deny ip any any (1754 matches)
Extended IP access list filter-outbond
    10 permit tcp any any eq www (19804 matches)
    20 permit tcp any any eq 443 (22114 matches)
    30 permit tcp any any eq 8080
    40 permit udp any any eq domain (10180 matches)
    50 permit icmp any any echo (5 matches)
    60 deny ip any any (56 matches)

Masoud Pourshabanian · ‎12-18-2015

try this one. I made a change. Remove everything. I had overlooked something.

ip access-list extended filter-inbond
permit udp any eq domain any
permit icmp any any echo-reply
permit tcp any eq www any   established
permit tcp any eq 443 any   established
permit tcp any eq 8080 any established
deny ip any any

ip access-list extended filter-outbond
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
permit udp any any eq domain
permit icmp any any echo
deny   ip any any

interface FastEthernet0
description OUT
ip access-group filter-inbond in
ip access-group filter-outbond out

Cisco Router 1800/Cisco Switch 2960 Access List Help !!!!!!!!!!!!